DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th July 2014
cravuhaw2C cravuhaw2C is offline
Port Guard
 
Join Date: Jul 2014
Posts: 45
Default Where to download public key files?

According to 3.5 "Verifying your download" (hxxp://w.w.w.openbsd.org/faq/faq3.html#Verify) I need the public key files and the signify program.

Where can I download them?

Moreover I am using Debian stable.

P.S.: I'm only allowed to post URLs once I have made at least 5 posts.
Reply With Quote
  #2   (View Single Post)  
Old 5th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Hello, and welcome!

OpenBSD's source code for signify(1) is located in its source tree, at src/usr.bin/signify -- and it is dependent upon both OpenBSD's libc and libutil. These libraries are also in the source tree, at src/lib/{libc,libutil}. The source code for 5.5-release can be obtained four ways:
  1. Obtain it from a tarball on the release CD set.
  2. Obtain it from two tarballs at your nearest download mirror.
  3. Use one of OpenBSD's AnonCVS repositories and cvs(1) on Debian. Use "-r OPENBSD_5_5" for the source code, as described in the link. (This is actually -stable, which is -release plus any break/fix patches)
  4. While primarily for on-line review of patches and source files, you could manually obtain the source one file at a time from OpenBSD's web portal to the CVS repositories. Be sure to only download the revisions tagged with OPENBSD_5_5 as mentioned above.
----

I think that porting the signify utility to Debian would be a more difficult and complicated task than running the OpenBSD's installation/rescue system. This is a kernel that includes a small root filesystem in RAM that includes the signify utility. OpenBSD did not have the utility until 5.5. For all previous releases, we verified installation binaries only with checksums -- we did not have cryptographic hashes to verify against keys.

Last edited by jggimi; 5th July 2014 at 10:07 AM. Reason: corrected flavor description of the OPENBSD_5_5 tag
Reply With Quote
  #3   (View Single Post)  
Old 5th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Oh, yes ... the public key files are in ./etc/signify in the base55.tgz installation fileset for your architecture, and also in /etc/signify of the installation/rescue OS, the "RAMDISK" kernel I mentioned above. And yes, they're also in the source tree, in src/etc/signify.

Last edited by jggimi; 5th July 2014 at 10:19 AM.
Reply With Quote
  #4   (View Single Post)  
Old 12th July 2014
cravuhaw2C cravuhaw2C is offline
Port Guard
 
Join Date: Jul 2014
Posts: 45
Default Are the public key files available in *.asc format?

Users who plan to migrate their existing platform from Microsoft OS, Debian or Ubuntu to OpenBSD may have difficulty in using the signify utility to verify OpenBSD's ISOs.

Where can I download the signing key (in the form of .asc) for install55.iso? With the .asc file, I can then use gpg4win under Microsoft Windows to verify install55.iso.
Reply With Quote
  #5   (View Single Post)  
Old 12th July 2014
ibara ibara is offline
OpenBSD language porter
 
Join Date: Jan 2014
Posts: 783
Default

If you are truly worried by this:
Install OpenBSD on a machine.
Download and verify a new bsd.rd from your mirror of choice.
Boot into the new bsd.rd and blast away your original install (choose (I)nstall instead of (U)pgrade from the bsd.rd menu just like you did the first time).

Now you're in the signify loop.

Last edited by ibara; 12th July 2014 at 06:11 PM.
Reply With Quote
  #6   (View Single Post)  
Old 12th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by cravuhaw2C View Post
Users who plan to migrate their existing platform from Microsoft OS, Debian or Ubuntu to OpenBSD may have difficulty in using the signify utility to verify OpenBSD's ISOs.
This is because this is the first release to contain signify(1), and the OpenBSD Project has not developed a Portable Signify. The Project might do that in the future, but if so (in my opinion) they are unlikely to use PGP, GPG, X.509, or any other external cryptographic framework, since signify(1) was designed to eliminate the need for them.
Reply With Quote
  #7   (View Single Post)  
Old 14th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

About 2 hours ago, Bob Beck (beck@) posted on Twitter that, in support of Portable LibreSSL, a version of signify has been ported to Linux.
Reply With Quote
Reply

Tags
public key, signify, verify

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Using public keys for SSH authentication amrogers3 OpenBSD General 12 14th November 2011 12:10 AM
secure ssh with public key milo974 OpenBSD Security 11 9th July 2008 04:52 PM
Apache on two servers but one public IP marco64 General software and network 2 4th June 2008 07:29 PM
OS to run in a public computer? Sunnz Off-Topic 31 23rd May 2008 05:47 PM


All times are GMT. The time now is 11:10 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick