DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Installation and Upgrading

OpenBSD Installation and Upgrading Installing and upgrading OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 12th July 2014
cravuhaw2C cravuhaw2C is offline
Port Guard
 
Join Date: Jul 2014
Posts: 45
Default Continue without verification?

Under Microsoft Windows 7 OS, I "burned" install55.iso to a CD which I then inserted into a CDROM slot and rebooted my laptop computer.

When the installation process reached the stage where I had to select some sets, I selected only the ones that I needed.

I was stuck at the next step. I was asked the following:

Quote:
Directory does not contain SHA256.sig. Continue without verification?
What should I do? Can I copy SHA256 and SHA256.sig to a USB flash drive and issue a command to the installation routine, telling it that the required *.sig file is on the USB stick?

Note: I had downloaded both SHA256 and SHA256.sig a few days ago. As the signing key of install55.iso, in the form of *.asc file, is unavailable, there was no way for me to verify the integrity of install55.iso using gpg4win under Microsoft Windows 7.
Reply With Quote
  #2   (View Single Post)  
Old 12th July 2014
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by cravuhaw2C View Post
What should I do?
Press 'y' to continue.
Reply With Quote
  #3   (View Single Post)  
Old 12th July 2014
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

You hit continue without verification or send a check for $50 for installation CD to Theo de Raadt if you want to be 100% safe. The whole situation sounds pretty hilarious to me since you are using Windows 7 which is well known for its security features.
Reply With Quote
  #4   (View Single Post)  
Old 12th July 2014
cravuhaw2C cravuhaw2C is offline
Port Guard
 
Join Date: Jul 2014
Posts: 45
Default

Quote:
Originally Posted by Oko View Post
.....or send a check for $50 for installation CD to Theo de Raadt if you want to be 100% safe.....
Can you guarantee that NSA, GCHQ, BND, KGB/FSB or PLA will not intercept the installation CD sent by Theo and replace it with one that contains backdoors that "call" back to the respective spooks?

Does Theo provide SHA512 hashsum for the installation CD?
Reply With Quote
  #5   (View Single Post)  
Old 12th July 2014
cravuhaw2C cravuhaw2C is offline
Port Guard
 
Join Date: Jul 2014
Posts: 45
Default

Quote:
Originally Posted by Oko View Post
.....The whole situation sounds pretty hilarious to me since you are using Windows 7 which is well known for its security features.
I didn't mention the fact that I use Debian and Ubuntu from time to time
Reply With Quote
  #6   (View Single Post)  
Old 12th July 2014
ibara ibara is offline
OpenBSD language porter
 
Join Date: Jan 2014
Posts: 783
Default

In all seriousness, use html instead of cd when it asks you where to fetch sets from.
Reply With Quote
  #7   (View Single Post)  
Old 12th July 2014
cravuhaw2C cravuhaw2C is offline
Port Guard
 
Join Date: Jul 2014
Posts: 45
Default

Quote:
Originally Posted by ibara View Post
In all seriousness, use html instead of cd when it asks you where to fetch sets from.
?
Reply With Quote
  #8   (View Single Post)  
Old 12th July 2014
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by cravuhaw2C View Post
I didn't mention the fact that I use Debian and Ubuntu from time to time
That doesn't make it less hilarious as Ubuntu is as secure as Windows 7 and Debian is a tiny nitch up. At work we use Red Hat when we have to use Linux (trying to stick with BSDs whenever possible) and I am constantly bewilder by the Linux approach to security. Please don't get me started on that. In particular Debian guys after introducing a major bug into OpenSSL couple of years ago to suppres compilation warnings have zero credibility when it comes to security.

Last edited by Oko; 12th July 2014 at 07:54 PM.
Reply With Quote
  #9   (View Single Post)  
Old 12th July 2014
ibara ibara is offline
OpenBSD language porter
 
Join Date: Jan 2014
Posts: 783
Default

I have no idea what your question is for. That is the correct answer.
Reply With Quote
Old 12th July 2014
cravuhaw2C cravuhaw2C is offline
Port Guard
 
Join Date: Jul 2014
Posts: 45
Default

Quote:
Originally Posted by Oko View Post
....In particular Debian guys after introducing a major bug into OpenSSL couple of years ago to suppres compilation warnings have zero credibility when it comes to security.
I am new to the world of *nix OSes.

But what I don't understand is the lack of a signing key for ISOs that is suitable for use with gpg.
Reply With Quote
Old 12th July 2014
ibara ibara is offline
OpenBSD language porter
 
Join Date: Jan 2014
Posts: 783
Default

Port signify if you're that worried.
Reply With Quote
Old 12th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by cravuhaw2C View Post
?
The SHA256.sig file is available for your architecture from your nearby mirror, at http://<your.nearby.mirror>/pub/OpenBSD/5.5/<your.architecture>. It is not included on the ISO images.
Reply With Quote
Old 12th July 2014
cravuhaw2C cravuhaw2C is offline
Port Guard
 
Join Date: Jul 2014
Posts: 45
Default

Quote:
Originally Posted by jggimi View Post
The SHA256.sig file is available for your architecture from your nearby mirror, at http://<your.nearby.mirror>/pub/OpenBSD/5.5/<your.architecture>. It is not included on the ISO images.
Yes, I did download that plus SHA256 file.

What I need also is the signing key belonging to the person(s) who sign(s) the ISO images.

In Debian and its variants, one imports the signing key by issuing the following command:

gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x21C031063EAB569

After importing the signing key, one issues the following command:

gpg --verify SHA256.sig

In Microsoft Windows OS, we first install the free and open-source gpg4win. Next, we retrieve the signing key from pgp.mit.edu. The signing key has a file extension of asc

We launch a command prompt, navigate to the folder/directory where the ISO image, SHA256 and SHA256.sig are located and issue the following command:

H:\>gpg --verify SHA256.sig SHA256
Reply With Quote
Old 12th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
What I need also is the signing key belonging to the person(s) who sign(s) the ISO images.
That is a private (secret) key.

Each message that has been signed with the private key can be verified against the public key, and the public key, only. Using signify(1), only.
Quote:
gpg --keyserver...
As previously mentioned, signify is a self-contained cryptographic framework. It does not use gpg or any other external crypto framework you have used with other OSes. At all.

Here are your options, if you wish to use OpenBSD:
  1. Port signify to the OS of your choice. The source code is publicly available to you, from CVS servers that have SSH fingerprints. I've seen an OS X port.
  2. Install OpenBSD twice. Once, without the signify crypto framework available to you. Then reinstall, the second time using it. A minimal installation from your ISO will only require kernels and two filesets: base55.tgz and etc55.tgz, and even on my slowest platform (Alix with compact flash media) this takes about 5 minutes.
  3. Install OpenBSD once, using the unsigned but quite valid SHA256 cryptographic hashes. Download them from an alternate mirror, to be sure the men-in-black haven't corrupted the mirror where you downloaded your ISO, or kernels and filesets.
Until this latest release, Option 3 was the only option available to us. And it is still available to you.
Reply With Quote
Old 12th July 2014
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by cravuhaw2C View Post

gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x21C031063EAB569
g stands for GNU. Why do you expect to see anything GNU on BSDs? BSDs are completely separate much older family of operaing system direct ancestors Bill Joy's clone of ATT UNIX inspired by Ken Thomson sabatical visit to UC Berkeley 1973.

Unfortunately due to the foolish politics in early 90s traditional BSD system compiler PCC was replaced by GCC and Binutils. GCC is already phased out of FreeBSD and DragonFly BSD but binutils is the only really serious GNU thing found on any BSDs.
Reply With Quote
Old 12th July 2014
ibara ibara is offline
OpenBSD language porter
 
Join Date: Jan 2014
Posts: 783
Default

Quote:
Originally Posted by Oko View Post
GCC is already phased out of ... DragonFly BSD
Uh...
Reply With Quote
Old 12th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

cravuhaw2C:

The 5.5-release ISOs do not contain a SHA256.sig file, because the ISOs would have required self-signatures. The other installation media options do not have this requirement, which is why the signature file is available outside the ISOs.

http://marc.info/?l=openbsd-misc&m=139393982414320&w=2
Reply With Quote
Old 13th July 2014
cravuhaw2C cravuhaw2C is offline
Port Guard
 
Join Date: Jul 2014
Posts: 45
Default

Quote:
Originally Posted by jggimi View Post
That is a private (secret) key.
I apologize for the confusion. What I need is the public portion of the signing key that can be retrieved from pgp.mit.edu or any publicly-hosted keyserver. However....(see below)

Quote:
Originally Posted by jggimi View Post
Using signify(1), only.
Quote:
Originally Posted by jggimi View Post
It does not use gpg or any other external crypto framework you have used with other OSes. At all.
Finally, the clarification that the ISO images can't be verified using GPG tools. This has not been made explicitly clear in the FAQs and man pages.

Quote:
Originally Posted by jggimi View Post

Port signify to the OS of your choice. The source code is publicly available to you, from CVS servers that have SSH fingerprints. I've seen an OS X port.
Thanks for the suggestion. But I'm technically challenged. I don't have a diploma or degree in IT or computer science.



Quote:
Originally Posted by jggimi View Post
Install OpenBSD twice. Once, without the signify crypto framework available to you. Then reinstall, the second time using it.

That's the suggestion that I'm gonna try. In fact I don't have to install it twice. The first time I install OpenBSD is without the verification using signify.


When I am in OpenBSD OS, I will use signify to verify my earlier downloaded ISO image. If it passes verification, I won't need to reinstall the OS a second time. If it fails, I will have to download the ISO image from another mirror and use the signify app that is on the already installed OpenBSD OS to verify the second-time download.



Quote:
Originally Posted by jggimi View Post
Install OpenBSD once, using the unsigned but quite valid SHA256 cryptographic hashes. Download them from an alternate mirror, to be sure the men-in-black haven't corrupted the mirror where you downloaded your ISO, or kernels and filesets.

For your info, the men-in-black are capable of corrupting all the mirrors of any Linux distro. Take Gentoo for example. One of their apps was infected with a backdoor and all of their mirrors contained the same infected file.


On a side note, I read somewhere that the NSA was planning to create 6,000 IT experts annually.
Reply With Quote
Old 13th July 2014
cravuhaw2C cravuhaw2C is offline
Port Guard
 
Join Date: Jul 2014
Posts: 45
Default

Quote:
Originally Posted by Oko View Post
g stands for GNU. Why do you expect to see anything GNU on BSDs?....
Look here, I am a novice user of OpenBSD.

How am I supposed to know that *BSD distros don't ship with GNU tools? No wiki on OpenBSD tells me that.

Have you realized that some of your replies are quite abrasive?

If you feel that my questions posted on this forum are too elementary and don't meet your expectations, you don't have to answer them. You have the choice to move on to help other forum members out.

My request to you: Please don't answer my posts. Ever. You are NOT welcome. (Using Google Translate, here's the not-so-perfect translation in Serbian: Мој захтев за вас: Молимо вас да не одговорите на моје постове. Икада. Ти нису добродошли.)
Reply With Quote
Old 13th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by cravuhaw2C View Post
Finally, the clarification that the ISO images can't be verified using GPG tools.
I thought I had done so an hour earlier, here. But I'm glad this is now clarified for you.
Quote:
For your info, the men-in-black are capable of corrupting all the mirrors of any Linux distro. Take Gentoo for example. One of their apps was infected with a backdoor and all of their mirrors contained the same infected file.
Then I am pleased to inform you that the cryptographic signatures that so concerned you in your posts to this forum to-date ... would not provide any protection for this type of problem, whatsoever.

All that these systems do is prove is that the person with the private key has signed the plaintext, and that it subsequently arrived without change. Any other comfort or feeling of safety you take beyond that simple fact is an assumption on your part.

No digital signature system, including the GPG toolset you are familiar with, can prevent that plaintext from attacks before it is signed, nor protect you if the person who has signed it are themselves a bad actor.

For every one of us who uses software that came from others -- any software, of any kind, on any OS -- requires us to trust. Whether cryptographic signatures are in use, or not.
You may not be aware that successful attacks on cryptographic certification frameworks have occurred many times. And they will occur again. The most recent public announcement of one was two days ago. Whenever they occur, they permit bad actors to portray themselves as trusted authorities.
This inherent weakness in established frameworks is one of the reasons that OpenBSD developed signify(1), as it limits the chain of trust to a single authority.

Last edited by jggimi; 13th July 2014 at 06:25 AM. Reason: typo
Reply With Quote
Reply

Tags
verify

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
BBC activates iPlayer Flash verification - Locking out open source J65nko News 0 25th February 2010 08:51 PM
Copy w/ active verification Weaseal FreeBSD General 4 5th February 2009 12:23 AM


All times are GMT. The time now is 06:48 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick