On Sun, Oct 08, 2023 at 02:36:16PM +0200, Thomas wrote: > Hello, > > I am installing OpenBSD on an old xps13 9380. The WiFi is not supported and > so I am using a usb dongle for which I need the athn-firmware. I get it to > work and now wanting to prep a USB disk with all necessary firmware. I'm > following the FAQ#4 on the website (I suppose it works with more firmware > than just the WiFi). > > So, now to my question. Using fw_update -F to the current dir does download > all firmware (5 files) and SHA256.sig. However, the file SHA256.sig does not > include the signature, using signify like so: > > signify -Cp /etc/signify/openbsd-73-fw.pub -x SHA256.sig * > > Fails with message: invalid comment in SHA256.sig; must start with 'untrusted > comment: ' > > Downloading the SHA256.sig from firmware.openbsd.org/firmware/7.3/SHA256.sig > which includes the signature does work. > > Is it that normal behaviour? Since the firmware.openbsd.org site is not > HTTPS, and that, at least for me, fw_update does not download signed > SHA256.sig, would it not be possible to download unintended files?
fw_update does download and verify the signature on the SHA256.sig, however it does then overwrite the one with the signature with one without the signature. Normally once it's verified we trust the location of the files and so we don't need to verify the signature again, but in the download case that may not be true (even if we trust the user when installing from a local directory and don't require a signed SHA256 file). https://github.com/openbsd/src/blob/master/usr.sbin/fw_update/fw_update.sh#L183-L185 > Thanks in advance, Thanks for noticing. I'll look at how best to adjust that when I have time to look at fw_update again.
