On 2020-08-12 21:30, Dan Peretz wrote:
Hello, the FAQ states this: "The installXX.iso and installXX.fs images do not contain an SHA256.sig file, so the installer will complain that it can't check the signature of the included sets [...] This is because it would make no sense for the installer to verify them. If someone were to make a rogue installation image, they could certainly change the installer to say the files were legitimate." Although that's true for intentional modifications, it would still be useful to have the installation medium perform a self integrity check against accidental or natural data corruption. For example, Ubuntu recently enabled a by-default integrity check, starting with release 20.04: "Ubuntu now defaults to checking the integrity of the medium in use when booting into live sessions. This can be skipped by hitting Ctrl-C. We’ve enabled this because failed installs due to corrupt downloads of installation media is one of the most common error conditions that users encounter." (Source: <https://ubuntu.com/blog/whats-new-in-ubuntu-desktop-20-04-lts>) I would like to have OpenBSD include at least an unsigned SHA256 file in the discs. The installer would then detect that the checksums are unsigned and warn about the security implications, but it would let the user run the check. I think it would be wise to make it check the bsd.rd image that's actually booted when booting from the disc, and not just the bsd.rd file set. (I get that the OpenBSD installer is just a multipurpose "bsd.rd" RAM disk that can be found not just in the installation discs, right?) Thank you!
I think the whole idea is to check the ISO itself with signify before you even boot/write it. If you're concerned about whether the ISO was written to your install media correctly (or its integrity after the fact), then it should be pretty straightforward to check if the hashes match up. Once you've verified the SHA256 file from the mirrors, you know the hashes are valid (and if you're worried about MITM/compromised web hosts, the signify keys are published all over social media and blogs etc). Signify does its best to cope with the chicken and the egg problem (and everything that comes with trusting trust), but at the end of the day, you have to draw the line somewhere.
If you're spooked about the SHA256.sig warning, then you can install over the network from a mirror, but ultimately it's irrelevant. Check your ISO with signify and you're good to go.
