|
OpenBSD Installation and Upgrading Installing and upgrading OpenBSD. |
|
Thread Tools | Display Modes |
|
|||
Continue without verification?
Under Microsoft Windows 7 OS, I "burned" install55.iso to a CD which I then inserted into a CDROM slot and rebooted my laptop computer.
When the installation process reached the stage where I had to select some sets, I selected only the ones that I needed. I was stuck at the next step. I was asked the following: Quote:
Note: I had downloaded both SHA256 and SHA256.sig a few days ago. As the signing key of install55.iso, in the form of *.asc file, is unavailable, there was no way for me to verify the integrity of install55.iso using gpg4win under Microsoft Windows 7. |
|
|||
|
|
|||
Quote:
Does Theo provide SHA512 hashsum for the installation CD? |
|
|||
I didn't mention the fact that I use Debian and Ubuntu from time to time
|
|
|||
In all seriousness, use html instead of cd when it asks you where to fetch sets from.
|
|
|||
?
|
|
||||
That doesn't make it less hilarious as Ubuntu is as secure as Windows 7 and Debian is a tiny nitch up. At work we use Red Hat when we have to use Linux (trying to stick with BSDs whenever possible) and I am constantly bewilder by the Linux approach to security. Please don't get me started on that. In particular Debian guys after introducing a major bug into OpenSSL couple of years ago to suppres compilation warnings have zero credibility when it comes to security.
Last edited by Oko; 12th July 2014 at 07:54 PM. |
|
|||
I have no idea what your question is for. That is the correct answer.
|
|
|||
Quote:
But what I don't understand is the lack of a signing key for ISOs that is suitable for use with gpg. |
|
|||
Port signify if you're that worried.
|
|
|||
Quote:
What I need also is the signing key belonging to the person(s) who sign(s) the ISO images. In Debian and its variants, one imports the signing key by issuing the following command: gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x21C031063EAB569 After importing the signing key, one issues the following command: gpg --verify SHA256.sig In Microsoft Windows OS, we first install the free and open-source gpg4win. Next, we retrieve the signing key from pgp.mit.edu. The signing key has a file extension of asc We launch a command prompt, navigate to the folder/directory where the ISO image, SHA256 and SHA256.sig are located and issue the following command: H:\>gpg --verify SHA256.sig SHA256 |
|
||||
Quote:
Each message that has been signed with the private key can be verified against the public key, and the public key, only. Using signify(1), only. Quote:
Here are your options, if you wish to use OpenBSD:
|
|
||||
Quote:
Unfortunately due to the foolish politics in early 90s traditional BSD system compiler PCC was replaced by GCC and Binutils. GCC is already phased out of FreeBSD and DragonFly BSD but binutils is the only really serious GNU thing found on any BSDs. |
|
|||
|
|
||||
cravuhaw2C:
The 5.5-release ISOs do not contain a SHA256.sig file, because the ISOs would have required self-signatures. The other installation media options do not have this requirement, which is why the signature file is available outside the ISOs. http://marc.info/?l=openbsd-misc&m=139393982414320&w=2 |
|
||||
I apologize for the confusion. What I need is the public portion of the signing key that can be retrieved from pgp.mit.edu or any publicly-hosted keyserver. However....(see below)
Quote:
Quote:
Quote:
That's the suggestion that I'm gonna try. In fact I don't have to install it twice. The first time I install OpenBSD is without the verification using signify. When I am in OpenBSD OS, I will use signify to verify my earlier downloaded ISO image. If it passes verification, I won't need to reinstall the OS a second time. If it fails, I will have to download the ISO image from another mirror and use the signify app that is on the already installed OpenBSD OS to verify the second-time download. Quote:
For your info, the men-in-black are capable of corrupting all the mirrors of any Linux distro. Take Gentoo for example. One of their apps was infected with a backdoor and all of their mirrors contained the same infected file. On a side note, I read somewhere that the NSA was planning to create 6,000 IT experts annually. |
|
|||
Quote:
How am I supposed to know that *BSD distros don't ship with GNU tools? No wiki on OpenBSD tells me that. Have you realized that some of your replies are quite abrasive? If you feel that my questions posted on this forum are too elementary and don't meet your expectations, you don't have to answer them. You have the choice to move on to help other forum members out. My request to you: Please don't answer my posts. Ever. You are NOT welcome. (Using Google Translate, here's the not-so-perfect translation in Serbian: Мој захтев за вас: Молимо вас да не одговорите на моје постове. Икада. Ти нису добродошли.) |
|
||||
Quote:
Quote:
All that these systems do is prove is that the person with the private key has signed the plaintext, and that it subsequently arrived without change. Any other comfort or feeling of safety you take beyond that simple fact is an assumption on your part. No digital signature system, including the GPG toolset you are familiar with, can prevent that plaintext from attacks before it is signed, nor protect you if the person who has signed it are themselves a bad actor. For every one of us who uses software that came from others -- any software, of any kind, on any OS -- requires us to trust. Whether cryptographic signatures are in use, or not. You may not be aware that successful attacks on cryptographic certification frameworks have occurred many times. And they will occur again. The most recent public announcement of one was two days ago. Whenever they occur, they permit bad actors to portray themselves as trusted authorities.This inherent weakness in established frameworks is one of the reasons that OpenBSD developed signify(1), as it limits the chain of trust to a single authority. Last edited by jggimi; 13th July 2014 at 06:25 AM. Reason: typo |
Tags |
verify |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
BBC activates iPlayer Flash verification - Locking out open source | J65nko | News | 0 | 25th February 2010 08:51 PM |
Copy w/ active verification | Weaseal | FreeBSD General | 4 | 5th February 2009 12:23 AM |