View Single Post
Old 12th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
What I need also is the signing key belonging to the person(s) who sign(s) the ISO images.
That is a private (secret) key.

Each message that has been signed with the private key can be verified against the public key, and the public key, only. Using signify(1), only.
Quote:
gpg --keyserver...
As previously mentioned, signify is a self-contained cryptographic framework. It does not use gpg or any other external crypto framework you have used with other OSes. At all.

Here are your options, if you wish to use OpenBSD:
  1. Port signify to the OS of your choice. The source code is publicly available to you, from CVS servers that have SSH fingerprints. I've seen an OS X port.
  2. Install OpenBSD twice. Once, without the signify crypto framework available to you. Then reinstall, the second time using it. A minimal installation from your ISO will only require kernels and two filesets: base55.tgz and etc55.tgz, and even on my slowest platform (Alix with compact flash media) this takes about 5 minutes.
  3. Install OpenBSD once, using the unsigned but quite valid SHA256 cryptographic hashes. Download them from an alternate mirror, to be sure the men-in-black haven't corrupted the mirror where you downloaded your ISO, or kernels and filesets.
Until this latest release, Option 3 was the only option available to us. And it is still available to you.
Reply With Quote