Unix Fan wrote:
Philipp Winter wrote:
I did not find a file on the OpenBSD mirrors which contains a digital
signature for the 'MD5' files which are placed in the platform specific
directories (e.g.: ftp://ftp.openbsd.org/pub/OpenBSD/4.2/i386/).
Is there no way to verify the authenticity of the installation files?
Huh?, ftp://ftp.openbsd.org/pub/OpenBSD/4.2/i386/MD5 seems to contain all
the proper MD5's... if your mirror matches the ones at the official site,
that seems to prove they're genuine.
Yes, but attackers could redirect end users requests to ftp.openbsd.org
via DNS poisoning or stuff like that. MD5 sums don't help in such a
case - a digital signature would.
The OpenBSD team takes security pretty seriously. ;) - digitally signing
the MD5 file is a bit much though... don't ya think? =|
I don't think so. It would provide additional security since end users
can be sure they downloaded the _original_ files instead of just having
the certainty that no errors happened during transmission.
Anyway, thanks for all the answers. And yes, the official CD set is
secure enough for my needs. ;-)
Greetings,
Philipp
