View Single Post
Old 13th July 2014
cravuhaw2C cravuhaw2C is offline
Port Guard
 
Join Date: Jul 2014
Posts: 45
Default

Quote:
Originally Posted by jggimi View Post
That is a private (secret) key.
I apologize for the confusion. What I need is the public portion of the signing key that can be retrieved from pgp.mit.edu or any publicly-hosted keyserver. However....(see below)

Quote:
Originally Posted by jggimi View Post
Using signify(1), only.
Quote:
Originally Posted by jggimi View Post
It does not use gpg or any other external crypto framework you have used with other OSes. At all.
Finally, the clarification that the ISO images can't be verified using GPG tools. This has not been made explicitly clear in the FAQs and man pages.

Quote:
Originally Posted by jggimi View Post

Port signify to the OS of your choice. The source code is publicly available to you, from CVS servers that have SSH fingerprints. I've seen an OS X port.
Thanks for the suggestion. But I'm technically challenged. I don't have a diploma or degree in IT or computer science.



Quote:
Originally Posted by jggimi View Post
Install OpenBSD twice. Once, without the signify crypto framework available to you. Then reinstall, the second time using it.

That's the suggestion that I'm gonna try. In fact I don't have to install it twice. The first time I install OpenBSD is without the verification using signify.


When I am in OpenBSD OS, I will use signify to verify my earlier downloaded ISO image. If it passes verification, I won't need to reinstall the OS a second time. If it fails, I will have to download the ISO image from another mirror and use the signify app that is on the already installed OpenBSD OS to verify the second-time download.



Quote:
Originally Posted by jggimi View Post
Install OpenBSD once, using the unsigned but quite valid SHA256 cryptographic hashes. Download them from an alternate mirror, to be sure the men-in-black haven't corrupted the mirror where you downloaded your ISO, or kernels and filesets.

For your info, the men-in-black are capable of corrupting all the mirrors of any Linux distro. Take Gentoo for example. One of their apps was infected with a backdoor and all of their mirrors contained the same infected file.


On a side note, I read somewhere that the NSA was planning to create 6,000 IT experts annually.
Reply With Quote