|
OpenBSD Installation and Upgrading Installing and upgrading OpenBSD. |
|
Thread Tools | Display Modes |
|
|
|||
Continue without verification?
Under Microsoft Windows 7 OS, I "burned" install55.iso to a CD which I then inserted into a CDROM slot and rebooted my laptop computer.
When the installation process reached the stage where I had to select some sets, I selected only the ones that I needed. I was stuck at the next step. I was asked the following: Quote:
Note: I had downloaded both SHA256 and SHA256.sig a few days ago. As the signing key of install55.iso, in the form of *.asc file, is unavailable, there was no way for me to verify the integrity of install55.iso using gpg4win under Microsoft Windows 7. |
|
|||
|
|
|||
Quote:
Does Theo provide SHA512 hashsum for the installation CD? |
|
|||
I didn't mention the fact that I use Debian and Ubuntu from time to time
|
|
||||
That doesn't make it less hilarious as Ubuntu is as secure as Windows 7 and Debian is a tiny nitch up. At work we use Red Hat when we have to use Linux (trying to stick with BSDs whenever possible) and I am constantly bewilder by the Linux approach to security. Please don't get me started on that. In particular Debian guys after introducing a major bug into OpenSSL couple of years ago to suppres compilation warnings have zero credibility when it comes to security.
Last edited by Oko; 12th July 2014 at 07:54 PM. |
|
|||
Quote:
But what I don't understand is the lack of a signing key for ISOs that is suitable for use with gpg. |
|
|||
In all seriousness, use html instead of cd when it asks you where to fetch sets from.
|
|
|||
?
|
|
|||
Quote:
What I need also is the signing key belonging to the person(s) who sign(s) the ISO images. In Debian and its variants, one imports the signing key by issuing the following command: gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x21C031063EAB569 After importing the signing key, one issues the following command: gpg --verify SHA256.sig In Microsoft Windows OS, we first install the free and open-source gpg4win. Next, we retrieve the signing key from pgp.mit.edu. The signing key has a file extension of asc We launch a command prompt, navigate to the folder/directory where the ISO image, SHA256 and SHA256.sig are located and issue the following command: H:\>gpg --verify SHA256.sig SHA256 |
|
||||
Quote:
Unfortunately due to the foolish politics in early 90s traditional BSD system compiler PCC was replaced by GCC and Binutils. GCC is already phased out of FreeBSD and DragonFly BSD but binutils is the only really serious GNU thing found on any BSDs. |
|
|||
I have no idea what your question is for. That is the correct answer.
|
|
|||
Port signify if you're that worried.
|
|
||||
Quote:
Each message that has been signed with the private key can be verified against the public key, and the public key, only. Using signify(1), only. Quote:
Here are your options, if you wish to use OpenBSD:
|
|
||||
I apologize for the confusion. What I need is the public portion of the signing key that can be retrieved from pgp.mit.edu or any publicly-hosted keyserver. However....(see below)
Quote:
Quote:
Quote:
That's the suggestion that I'm gonna try. In fact I don't have to install it twice. The first time I install OpenBSD is without the verification using signify. When I am in OpenBSD OS, I will use signify to verify my earlier downloaded ISO image. If it passes verification, I won't need to reinstall the OS a second time. If it fails, I will have to download the ISO image from another mirror and use the signify app that is on the already installed OpenBSD OS to verify the second-time download. Quote:
For your info, the men-in-black are capable of corrupting all the mirrors of any Linux distro. Take Gentoo for example. One of their apps was infected with a backdoor and all of their mirrors contained the same infected file. On a side note, I read somewhere that the NSA was planning to create 6,000 IT experts annually. |
|
||||
Quote:
Quote:
All that these systems do is prove is that the person with the private key has signed the plaintext, and that it subsequently arrived without change. Any other comfort or feeling of safety you take beyond that simple fact is an assumption on your part. No digital signature system, including the GPG toolset you are familiar with, can prevent that plaintext from attacks before it is signed, nor protect you if the person who has signed it are themselves a bad actor. For every one of us who uses software that came from others -- any software, of any kind, on any OS -- requires us to trust. Whether cryptographic signatures are in use, or not. You may not be aware that successful attacks on cryptographic certification frameworks have occurred many times. And they will occur again. The most recent public announcement of one was two days ago. Whenever they occur, they permit bad actors to portray themselves as trusted authorities.This inherent weakness in established frameworks is one of the reasons that OpenBSD developed signify(1), as it limits the chain of trust to a single authority. Last edited by jggimi; 13th July 2014 at 06:25 AM. Reason: typo |
|
|||
Quote:
In your future replies to my posts, please do give me a bit of leeway. Quote:
What is that single authority? Thanks in advance for your answer. |
|
||||
For OpenBSD software, it is The OpenBSD Project (the "Project"), in two ways:
|
|
||||
cravuhaw2C:
The 5.5-release ISOs do not contain a SHA256.sig file, because the ISOs would have required self-signatures. The other installation media options do not have this requirement, which is why the signature file is available outside the ISOs. http://marc.info/?l=openbsd-misc&m=139393982414320&w=2 |
Tags |
verify |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
BBC activates iPlayer Flash verification - Locking out open source | J65nko | News | 0 | 25th February 2010 08:51 PM |
Copy w/ active verification | Weaseal | FreeBSD General | 4 | 5th February 2009 12:23 AM |