signify-openbsd to crypt'ly verify install62.iso in linux

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

signify-openbsd to crypt'ly verify install62.iso in linux

Philip Mundhenk
I've installed:

signify-openbsd
signify-openbsd-keys

in an ultra-light (think Lubuntu on Atkins & amphetimines) Ubuntu 16.04.

I guess I'm just a dumb Ubuntard, despite my Intertel membership, but I can't for the life of me figure out how to cryptographically verify the legitimacy of install62.iso with SHA256.sig. The hash matches the sig file, but how to verify the sig file? Or even if it is possible in principle. The manual is clear as mud.

To keep it neat, let's say both files are in /data/bsd-stuff, so we have:
/data/bsd-stuff/install62.iso
/data/bsd-stuff/SHA256.sig

EXACTLY what commands (my default interpreter is bash, but I can use tcsh or whatever) do I need? Or is this a chicken/egg thing where I have to have openbsd installed before I can verify an openbsd iso, which I have to have to install openbsd?

This may be way superior to gpg, but I'd wager 10 to 1 that the net effect of disdaining the standard gpg route completely (which could be available, with a stern warning, IN ADDITION) is that half the people who install this don't do any cryptographic verification at all.

....................................
Because if we allow the Constitution to become a "literary fiction" future generations will rightfully view us with contempt as shallow, posing slackers, this is:

Sent with [ProtonMail](https://protonmail.com) Secure Email.
Reply | Threaded
Open this post in threaded view
|

Re: signify-openbsd to crypt'ly verify install62.iso in linux

Kevin Chadwick-4
On Fri, 09 Feb 2018 16:11:01 -0500


> but I can't for the life of me figure out how to cryptographically
> verify the legitimacy of install62.iso with SHA256.sig.

I've never done it on linux however try

signify -C -p /etc/signify/openbsd-62-base.pub -x SHA256.sig

https://man.openbsd.org/signify

Reply | Threaded
Open this post in threaded view
|

Re: signify-openbsd to crypt'ly verify install62.iso in linux

Kenneth Gober
On Fri, Feb 9, 2018 at 4:44 PM, Kevin Chadwick <[hidden email]> wrote:
> On Fri, 09 Feb 2018 16:11:01 -0500
>> but I can't for the life of me figure out how to cryptographically
>> verify the legitimacy of install62.iso with SHA256.sig.
>
> I've never done it on linux however try
>
> signify -C -p /etc/signify/openbsd-62-base.pub -x SHA256.sig
>
> https://man.openbsd.org/signify

The next question of course will be, how can you be sure that your
copy of /etc/signify/openbsd-62-base.pub is legitimate?  Someone could
have tampered with that file as easily as they could have tampered
with SHA256.sig.

You can go to https://www.openbsd.org/62.html to get the 6.2 signify
keys, but how sure can you be that the site hasn't been compromised?
Or that the site you see in your browser is even the real one?  At
some point you need to convince yourself that you have a good key.
The keys have been published in various places, and the last several
CD releases (from 5.5 or so until CD distribution stopped) had the
signify keys actually printed on the CD labels.  Each release of
OpenBSD includes keys for the next release, so once you have a key you
trust you can use that to verify that version, then use the key in
that version to verify the next version, and so on.

This paper provides some good background about why signify rather than
https or gpg:

http://www.openbsd.org/papers/bsdcan-signify.html

-ken

Reply | Threaded
Open this post in threaded view
|

Re: signify-openbsd to crypt'ly verify install62.iso in linux

Philip Mundhenk
Thank you both. That worked. Ubuntu already had a package named signify so, with all 3 files in the $PWD, the correct command is:

signify-openbsd -C -p openbsd-62-base.pub -x SHA256.sig install62.iso

Possibly part of the problem is that the Ubuntu package signify-openbsd-keys does NOT put anything in /etc but puts the keys in /usr/share/signify-openbsd-keys/ & that it doesn't have anything later than 59. I may try downloading 59 just to see if it works more intuitively.

Re "how can you be sure that your copy of /etc/signify/openbsd-62-base.pub is legitimate?":
 AFAIK, that is the same issue as with a gpg public key, & the best answer, using only the internet, is to find copies in multiple places on different sites, and determine that they are the same. I think the only way to be good at paranoia is to practice it ;-), so I'm trying to do tht now. If nothing else, it's a good logic puzzle.

​....................................
Because if we allow the Constitution to become a "literary fiction" future generations will rightfully view us with contempt as shallow, posing slackers, this is:

Sent with ProtonMail Secure Email.


-------- Original Message --------
 On February 9, 2018 5:50 PM, Kenneth Gober  wrote:

>On Fri, Feb 9, 2018 at 4:44 PM, Kevin Chadwick [hidden email] wrote:
>>On Fri, 09 Feb 2018 16:11:01 -0500
>>>but I can't for the life of me figure out how to cryptographically
>>> verify the legitimacy of install62.iso with SHA256.sig.
>>>I've never done it on linux however try
>>signify -C -p /etc/signify/openbsd-62-base.pub -x SHA256.sig
>>https://man.openbsd.org/signify
>>
> The next question of course will be, how can you be sure that your
> copy of /etc/signify/openbsd-62-base.pub is legitimate?  Someone could
> have tampered with that file as easily as they could have tampered
> with SHA256.sig.
>
> You can go to https://www.openbsd.org/62.html to get the 6.2 signify
> keys, but how sure can you be that the site hasn't been compromised?
> Or that the site you see in your browser is even the real one?  At
> some point you need to convince yourself that you have a good key.
> The keys have been published in various places, and the last several
> CD releases (from 5.5 or so until CD distribution stopped) had the
> signify keys actually printed on the CD labels.  Each release of
> OpenBSD includes keys for the next release, so once you have a key you
> trust you can use that to verify that version, then use the key in
> that version to verify the next version, and so on.
>
> This paper provides some good background about why signify rather than
> https or gpg:
>
>http://www.openbsd.org/papers/bsdcan-signify.html
>
> -ken
>

Reply | Threaded
Open this post in threaded view
|

Re: signify-openbsd to crypt'ly verify install62.iso in linux

jungle Boogie
In reply to this post by Kenneth Gober
On Fri 09 Feb 2018  5:50 PM, Kenneth Gober wrote:
>
> This paper provides some good background about why signify rather than
> https or gpg:
>
> http://www.openbsd.org/papers/bsdcan-signify.html

And the video:
https://www.youtube.com/watch?v=9R5s3l-0wh0

It's quite creative to include the next set of public keys.

>
> -ken
>

Reply | Threaded
Open this post in threaded view
|

Re: signify-openbsd to crypt'ly verify install62.iso in linux

Edgar Pettijohn III-2
In reply to this post by Philip Mundhenk


On 02/09/18 17:22, Philip Mundhenk wrote:
> Thank you both. That worked. Ubuntu already had a package named signify so, with all 3 files in the $PWD, the correct command is:
>
> signify-openbsd -C -p openbsd-62-base.pub -x SHA256.sig install62.iso
>
> Possibly part of the problem is that the Ubuntu package signify-openbsd-keys does NOT put anything in /etc but puts the keys in /usr/share/signify-openbsd-keys/ & that it doesn't have anything later than 59. I may try downloading 59 just to see if it works more intuitively.

You should send a patch for signify(1) with the correct path in the
examples to the maintainer.

>
> Re "how can you be sure that your copy of /etc/signify/openbsd-62-base.pub is legitimate?":
>   AFAIK, that is the same issue as with a gpg public key, & the best answer, using only the internet, is to find copies in multiple places on different sites, and determine that they are the same. I think the only way to be good at paranoia is to practice it ;-), so I'm trying to do tht now. If nothing else, it's a good logic puzzle.
>
> ​....................................
> Because if we allow the Constitution to become a "literary fiction" future generations will rightfully view us with contempt as shallow, posing slackers, this is:
>
> Sent with ProtonMail Secure Email.
> ​
>
> -------- Original Message --------
>   On February 9, 2018 5:50 PM, Kenneth Gober  wrote:
>
>> On Fri, Feb 9, 2018 at 4:44 PM, Kevin Chadwick [hidden email] wrote:
>>> On Fri, 09 Feb 2018 16:11:01 -0500
>>>> but I can't for the life of me figure out how to cryptographically
>>>> verify the legitimacy of install62.iso with SHA256.sig.
>>>> I've never done it on linux however try
>>> signify -C -p /etc/signify/openbsd-62-base.pub -x SHA256.sig
>>> https://man.openbsd.org/signify
>>>
>> The next question of course will be, how can you be sure that your
>> copy of /etc/signify/openbsd-62-base.pub is legitimate?  Someone could
>> have tampered with that file as easily as they could have tampered
>> with SHA256.sig.
>>
>> You can go to https://www.openbsd.org/62.html to get the 6.2 signify
>> keys, but how sure can you be that the site hasn't been compromised?
>> Or that the site you see in your browser is even the real one?  At
>> some point you need to convince yourself that you have a good key.
>> The keys have been published in various places, and the last several
>> CD releases (from 5.5 or so until CD distribution stopped) had the
>> signify keys actually printed on the CD labels.  Each release of
>> OpenBSD includes keys for the next release, so once you have a key you
>> trust you can use that to verify that version, then use the key in
>> that version to verify the next version, and so on.
>>
>> This paper provides some good background about why signify rather than
>> https or gpg:
>>
>> http://www.openbsd.org/papers/bsdcan-signify.html
>>
>> -ken
>>

Reply | Threaded
Open this post in threaded view
|

Re: signify-openbsd to crypt'ly verify install62.iso in linux

Michael Hekeler
In reply to this post by Philip Mundhenk

> To keep it neat, let's say both files are in /data/bsd-stuff, so we
> have:
> /data/bsd-stuff/install62.iso
> /data/bsd-stuff/SHA256.sig


where did you download the public key?