[UkOpenBSDUsers] 6.8 sha256

Stuart Henderson stu at spacehopper.org
Sat Feb 13 16:14:52 GMT 2021

On 2021/02/13 21:17, Sivan ! wrote:
> Hello
> The instruction to verify sha256 of install68.img indicates that the
> checksum file is part of the install68.img, there was no separate
> checksum file to be downloaded for comparing the value of the
> downloaded file, unless I am missing something.

If you are just concerned with checking for download corruption, see the
SHA256 file in the same directory where you found install68.img.

There's also SHA256.sig which signed using "signify". This is part of
the OpenBSD base system but also builds easily on other OS. One OpenBSD
release includes the public key for the next release, so that once you
are already using a trusted version there's an ongoing chain for updates.
(This is checked automatically when you use "sysupgrade" to upgrade).

Keys are also published on the release page e.g.
https://www.openbsd.org/68.html - you will also find them in mailing
list posts announcing releases (so you can verify against multiple list
archives), and just searching for the key you should find it on a number
of websites.

> The sha256 compare command did not work. However I computed the value as below:
> 14ea602583030b33e91ee8fde8dd76113984e9fac6598f9f609f408137c4cff2  install68.img
> Is this correct, is the downloaded file clean please?

That matches the hash in the SHA256.sig file that I have downloaded and
checked against the 6.8 key.

More information about the Uk-OpenBSD-Users mailing list