To answer a number of questions about this all at once. No. we don't sign
releases with GnuPG or OpenPGP.

GnuPG alone is a compressed tarball of 4.2 MB of code I have occasionally
had to glance at. I do not have enough
energy in my life to clean up two poorly written crypto code bases. The
world will be better if we only concerntrate
on one.

$ wc -l *.c
29 crypto_api.c
143 mod_ed25519.c
327 mod_ge25519.c
806 signify.c
1305 total

Signify is 1305 lines of C code. and it's included in our development
platform. It is not that difficult to install, and
if you can't install it, you could always run OpenBSD in a vm to verify a
signature, it comes with openbsd.

On Mon, Jul 14, 2014 at 11:01 AM, Ralph Giles [email protected]
wrote:

Thanks for providing signed checksums of the releases on
http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ !

I respectfully suggest offering OpenPGP signatures, at least as an
alternative, would be more portable. My systems don't have signify.

—
Reply to this email directly or view it on GitHub
#12.

from portable.

In case you happen to be on OS X, check out https://github.com/jpouellet/signify-osx. It's not official by any means, but the delta to upstream is small enough that it should be easy to audit yourself if you wish.

from portable.

Well, we need some way to pass release trust from your upstream to downstream users. Are you saying you don't trust gpg's signature implementation? Why is that different from auditing the GNU autotools?

• Produce a portable version of signify for packaging on other systems. It seems like a nice tool, especially the built-in checksum support.
• Patch signify to produce OpenPGP signature blocks.
• Someone who trusts both signify and and an OpenPGP implementation re-signs the checksums.

It would also help to mirror the releases and/or checksum files here on github so people can cross-verify with however much additional value they want to put in the github https cert, and push signed git tags per issue #3.

from portable.

Once we are back in North America where we can do it (the master signature
box is airgapped) in case you're ultra paranoid the libressl public key
will be signed with an OpenBSD release key, which you can buy on CD if you
really want. and validate
it that way.

Having said that, nothing wrong with having it in github - I've just put it
there in the top of the portable repository. It's also all over twitter if
you're on there and like to cross check from multiple sources.

On Mon, Jul 14, 2014 at 7:14 PM, Ralph Giles [email protected]
wrote:

Well, we need some way to pass release trust from your upstream to
downstream users. Are you saying you don't trust gpg's signature
implementation? Why is that different from auditing the GNU autotools?

Produce a portable version of signify for packaging on other systems.
It seems like a nice tool, especially the built-in checksum support.

Patch signify to produce OpenPGP signature blocks.

Someone who trusts both signify and and an OpenPGP implementation
re-signs the checksums.

It would also help to mirror the releases and/or checksum files here on
github so people can cross-verify with however much additional value they
want to put in the github https cert, and push signed git tags per issue
#3 #3.

—
Reply to this email directly or view it on GitHub
#12 (comment)
.

from portable.

It's also here :)
----8<--
untrusted comment: LibreSSL Portable public key
RWQg/nutTVqCUVUw8OhyHt9n51IC8mdQRd1b93dOyVrwtIXmMI+dtGFe

On Mon, Jul 14, 2014 at 8:52 PM, Bob Beck [email protected] wrote:

Once we are back in North America where we can do it (the master signature
box is airgapped) in case you're ultra paranoid the libressl public key
will be signed with an OpenBSD release key, which you can buy on CD if you
really want. and validate
it that way.

Having said that, nothing wrong with having it in github - I've just put
it there in the top of the portable repository. It's also all over twitter
if you're on there and like to cross check from multiple sources.

On Mon, Jul 14, 2014 at 7:14 PM, Ralph Giles [email protected]
wrote:

Well, we need some way to pass release trust from your upstream to
downstream users. Are you saying you don't trust gpg's signature
implementation? Why is that different from auditing the GNU autotools?

Produce a portable version of signify for packaging on other systems.
It seems like a nice tool, especially the built-in checksum support.

Patch signify to produce OpenPGP signature blocks.

Someone who trusts both signify and and an OpenPGP implementation
re-signs the checksums.

It would also help to mirror the releases and/or checksum files here on
github so people can cross-verify with however much additional value they
want to put in the github https cert, and push signed git tags per issue
#3 #3.

—
Reply to this email directly or view it on GitHub
#12 (comment)
.

from portable.

Patch signify to produce OpenPGP signature blocks.

It'd take more than that, and the cost outweighs the benefit.

So instead, here's what I have for the signify keys, signed by my pgp key (685B922D). I'm reasonably well connected to the web of trust, and I've verified openbsd-55-base.pub against my CD as well as in person with multiple openbsd devs at BSDCan 2014.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

untrusted comment: LibreSSL Portable public key
RWQg/nutTVqCUVUw8OhyHt9n51IC8mdQRd1b93dOyVrwtIXmMI+dtGFe
untrusted comment: openbsd 5.5 base public key
RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h
untrusted comment: openbsd 5.5 firmware public key
RWTdVOhdk5qyNktv0iGV6OpaVfogGxTYc1bbkaUhFlExmclYvpJR/opO
untrusted comment: openbsd 5.5 packages public key
RWQQC1M9dhm/tja/ktitJs/QVI1kGTQr7W7jtUmdZ4uTp+4yZJ6RRHb5
untrusted comment: openbsd 5.6 base public key
RWR0EANmo9nqhpPbPUZDIBcRtrVcRwQxZ8UKGWY8Ui4RHi229KFL84wV
untrusted comment: openbsd 5.6 firmware public key
RWT4e3jpYgSeLYs62aDsUkcvHR7+so5S/Fz/++B859j61rfNVcQTRxMw
untrusted comment: openbsd 5.6 packages public key
RWSPEf7Vpp2j0PTDG+eLs5L700nlqBFzEcSmHuv3ypVUEOYwso+UucXb
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJTxJ5CAAoJEPjsi1Ulx5x/upUP+gNeh3KlEBnyqJkWuVOe0K2Q
Y37FNdd1b8yknKocVaA0C6kmr05yz1A5clRQtFLCIgripmpscBzd+BbW9AlitbbJ
zatsDsduqn44aikWVPuGHZ4vnxbaWdpnzObZo96pF1OrupOS2/mLZ1pQVDzkh+RH
GC9wAieu3Z/LsYbuMfviDdstOOscKSqJZ/hgeiZF2ppAHwnhUwTvrWkHqzoBBGIn
6IEJe6INUt8powb73v2OH/A3+nYc4LIFAWIafQonlEG+vWxPQirioGaN53OSCWvQ
gZFXzXhBxDLMOR/V7SIJv8imGb3LFmoryRaHGv1FuXX/cLQfXfYxmwLTOMtL9dmC
gtpgx4mJk8h3jKiGrXgrTUecpAMpR/lDBkXqLNohgGpkMUVoNSB5Dw5LcgoX6n33
agkeypy0/PMZrRjsNbgvKoAb7fRfG6xIKkw8iQLY4Mf6Ek6xr+7A02wOsmfHHrCH
U9p0z+8PNLsRZtki9ThDjugwa8JdLm2SJoBehdnLKuHcOUdCeRWYNSgfLdRbMXH/
aa+Z6LFTsPx0y6UWpGJg3F51DnoHAZOPrHuaAzNJ2J5QOqSh476tYht3q2zDUmsi
/ZJaqFlbLV4f1iOIFkeWhpbUZDdoYMpT2mluFtNn95FBZ13OjpwFvgMRW8IZR+1l
Dy3clLtg8e56wnicX8ji
=ruMH
-----END PGP SIGNATURE-----

Now... how do you know I'm not $evil_person out to get you? You don't. Too bad.

from portable.

Thanks, all this helps.

from portable.

Hi.

Those wishing to verify LibreSSL tarballs can use my portable version of OpenBSD's signify (project I began back in May [1]). It is quite self-contained and doesn't depend on things like libbsd for BSDisms or OpenSSL/LibreSSL for prng seed material. So, I anticipate it should build on many POSIXy systems (tested on Linux and Windows/Cygwin).

The latest version was sync'd on 20140902 and includes signify.c rev1.91 and updated support code including tweaks that hopefully make explicit_bzero more resistant to overzealous compilers:

• http://sf.net/projects/slackdepot/files/signify/signify-portable-20140902.tar.bz2

My example-driven HOWTO should be enough to get one started.

--mancha

PS A few LibreSSL versions ago, verification worked flawlessly. However, the latest SHA256 digest lists contain full paths (e.g. /home/sign/libressl-2.0.2.tar.gz) which interfere with verification. Mistake?

[1] http://www.linuxquestions.org/questions/slackware-14/openbsd%27s-new-john-hancock-4175504101/

from portable.