Quote:
Originally Posted by cravuhaw2C
What is that single authority?
|
For OpenBSD software, it is
The OpenBSD Project (the "Project"), in two ways:
- By the Project member who issued signify(1) -G to create the key pair. The public key having been distributed in /etc/signify by the Project in its distributions, and the private key managed by applicable members of the Project.
- By the Project members who use signify(1) -S to sign messages*, which may be source code components (break/fix patches for releases, and as of today, Portable LibreSSL), kernels and installation filesets, distributable third party firmware, and all distributed pre-compiled binary packages of third party software that has been configured to run on OpenBSD.
* Message being the term used in signify(1) for the plaintext that is to be cryptographically signed or verified.