I know next to nothing about crypto, so I have a really dumb question.
I just can't get past it, so I'd like to ask:
When you install the initial unverified OS, how can you trust anything it's telling you? Isn't it possible, at least in principle, that the bad guys have tampered with and corrupted it such that when you think you're running signify on it, you get bogus output that says "everything is ok" ?