Authentic pufferfish for penguins: How to create verified OpenBSD installation media on Linux

2019-10-20

Note: Shortly before this article could be finished, the release of OpenBSD 6.6 happened and anyone installing a new OpenBSD system should now use that. The text has been reviewed to ensure everything written below still applies.

Recently, I decided to put OpenBSD on a spare old PC to have it available for reference, portability testing and gaining some insight into how this system generally works. While installing it turned out to be surprisingly easy, one thing that needed some investigation was how verifying an OpenBSD release image works and how to do that on a Linux system.

So, in this article, I'm going to show how that is done. And while I'm at it, I will also show how to create OpenBSD installation media on CD using Linux because the Installation Guide included in OpenBSD's FAQ doesn't cover that. In case you want to use a flash drive instead, you can simply use dd to apply the image as described in said Installation Guide. Beware that dd will destroy all existing data on the target device. So, double-checking which device it would write to before hitting Enter is strongly advised.

Before I proceed, let me say that this article is meant to be a mere supplement to the Downloading OpenBSD and Creating Install Media sections in OpenBSD's Installation Guide, which you should definitely read in its entirety if you want to install this system and have little or no prior experience with that.

First of all, here's an overview of the steps that need to be taken to create a verified, bootable OpenBSD installation CD on Linux:

• Downloading the necessary files
• Installing OpenBSD's signify program
• Verifying the installer image using signify
• Burning the image onto a CD

Downloading the necessary files

There are a couple of things that need to be downloaded in order to verify an OpenBSD release image. Apart from the image itself, these are:

• the accompanying SHA256.sig file, which contains the image's checksum and a signature
• the release's signing key, needed to verify the signature contained in SHA256.sig

It's a good idea to place these files in a dedicated directory. I used ~/Downloads/OpenBSD/6.5 because I was going to install OpenBSD 6.5, the latest release at the time of writing. Then, I used an additional subdirectory indicating the hardware architecture the contained image was built for. This is a good idea because the file names of OpenBSD's installer images themselves do not indicate that. (Finding an image suitable for a specific hardware architecture is covered below.)

The OpenBSD project offers several types of installation images, ranging from full-blown versions including all file sets^[1] down to a tiny 1.44 MB floppy disk image. Their differences are covered in the Installation Guide, so there's no need to repeat that information here.

One thing to be aware of is that OpenBSD doesn't offer hybrid images, meaning the .iso files only work for optical discs. For everything else, one of the image files with the fs extension will have to be used.

As I was going to create an installation CD, I chose the cd65.iso image (65 meaning that this is OpenBSD 6.5). This image does not include file sets and is thus fairly small, not exceeding the size of 10 megabytes for all but one supported hardware architecture. The sets can be pulled from the network (or, alternatively, another local medium) at a certain point in the installation process. Installing OpenBSD this way is kind of similar to using a Debian network install image.

After choosing which installation image to use, you'll need to obtain a variant of the chosen image that is suitable for the processor type of the computer OpenBSD is going to be installed on. The Hardware Support section of the FAQ has more information on that. The machine I later installed the system on came with an AMD Athlon XP processor, which meant I had to use the cd65.iso variant for what OpenBSD calls the i386 architecture, i.e., the standard 32-bit PC variant.

Installation images for the latest OpenBSD release are linked right in the FAQ's Downloading OpenBSD section. Alternatively, the release page – e.g., https://www.openbsd.org/65.html – provides a link to a list of mirrors, you can download them from. Those mirrors are also the place to obtain the SHA256.sig file for the respective release.

For example, I chose to use the mirror at https://ftp.fau.de/pub/OpenBSD/, navigated to 6.5/i386 in its directory tree and then downloaded cd65.iso as well as SHA256.sig from there.

Next, you will need to get the release key. There are actually several keys coming with a release, but only the base key is needed to verify an installation image. As of OpenBSD 6.5, a file containing that key can be downloaded right from the release page. The other ones as well as keys for prior releases are available from the src/etc/signify directory in OpenBSD's public CVS repository, with key files for older releases hidden in the Attic directory. Running any of those older OpenBSD versions is, however, not advisable unless you have truly compelling reasons and know what you're doing. The reason for that is simple: “Only the two most recent OpenBSD releases receive security and reliability fixes for the base system.”^[2]

Key files can also be put together manually, using the keys as provided on the respective release page. This can, for example, come in handy if you have the page printed on paper or saved to a file and no Internet access. The key file format merely demands that the key itself be preceded by a line starting with untrusted comment: (including the trailing space) and then some arbitrary text. As the purpose of that comment is to “be used as a hint for the name of the public key” (signify(1)), it is a good idea to follow the form openbsd <version> <key name>, which is used for key files provided by the OpenBSD project, for example:

untrusted comment: openbsd 6.5 base public key
RWSZaRmt1LEQT9CtPygf9CvONu8kYPTlVEJdysNoUR62/NkeWgdkc3zY

Installing signify

Unlike probably all Linux distributions that provide signed releases, OpenBSD does not use GPG for signing and verifying its releases. Instead, a program called signify is used. It was implemented by Ted Unangst explicitly for that purpose.^[3] So, in order to verify an OpenBSD image, signify needs to be available on the system used to perform the verification.

On Debian, there is a package called signify-openbsd, which contains a portable version of the program. On Void Linux, it is provided by the signify package.

As my main computer runs Devuan, which is, for the most part, the same as Debian, I simply used apt-get to install the signify-openbsd package:

# apt-get install signify-openbsd

Verifying the image

The verification procedure then goes like this: First, the signify program will check the signature contained in the SHA256.sig file against the release's base key. If that goes well, the SHA256 checksum for the respective installer image in SHA256.sig will be compared to the SHA256 checksum your system calculates for the downloaded image file.

To verify the image I had downloaded, I did the following inside my ~/Downloads/OpenBSD/6.5/i386 directory:

$ signify-openbsd -C -p openbsd-65-base.pub -x SHA256.sig cd65.iso
Signature Verified
cd65.iso: OK

As signify's manual page explains, -C tells it to verify a signed checksum list while -p defines the public key and -x the signature file to use. Finally, providing the name of the image file to be verified prevents the program from trying to verify the SHA256 checksums for all of the files listed in SHA256.sig, which would result in barrage of error messages because all but one of those files are missing here.

Verifying only checksums

Up to version 5.4, OpenBSD releases were not signed and the only way to check whether a downloaded image was corrupted was to compare the image's SHA256 checksum to the one provided by the accompanying SHA256 file, i.e., to perform an integrity check. This method can, however, only detect accidental corruption. But that's still way better than nothing whenever using signify to verify a release's signature isn't possible. OpenBSD still offers unsigned SHA256 files containing all the same checksums as the signed ones. However, it's also possible to use the signed version (SHA256.sig) just to compare the checksums. The sha256sum utility will only complain about two extra lines in that file (those making up the signature) not being formatted correctly:

$ sha256sum -c --ignore-missing SHA256.sig
cd65.iso: OK
sha256sum: WARNING: 2 lines are improperly formatted

The problem with merely checking an image's integrity is that it only verifies that the downloaded image is exactly the same as the one provided on a particular server. It does not provide any means of verifying that it is also the image as intended by the OpenBSD project, i.e., authentic OpenBSD. If someone provided a rogue image with an appropriate checksum file, an integrity check would not provide any protection. As mentioned above, the signify program will instead first perform an authenticity check, comparing the signature contained in SHA256.sig to a public key published by the OpenBSD project and only if that succeeds proceed to verify an image's integrity, making it much harder for anyone to circulate intentionally corrupted images.

Burning the image onto a CD

The cdio command used in the OpenBSD Installation Guide is OpenBSD's own utility and seems to exist on that system exclusively. So, Linux users will have to find another tool for the job.

Whatever the tool you end up using, please use a rewritable CD if you have a choice. It's simply nonsensical to waste an entire 700 MB medium for an installation image that consumes much less space and might be used only once. Also, there's always a chance of something going wrong in the process, either due to the user making a mistake or some software or hardware error. Using a rewritable CD allows for starting over on the same medium, which any sane person will prefer to creating a pile of unusable discs that can go straight into the trash can.

The de facto standard utility for burning CDs on Linux (and most other Unix-like systems) seems to be cdrecord from the cdrtools suite maintained by Jörg Schilling. However, Debian notoriously doesn't ship cdrtools. The same is true for Devuan. But there is a viable alternative in Debian's package repositories: cdrskin, which is part of the libburnia project. Void Linux offers both.

For simply burning an image to an empty CD, both tools share the same syntax:

$ cdrecord -v speed=4 cd65.iso
$ cdrskin -v speed=4 cd65.iso

For overwriting a non-empty disc, running one of the following two commands should be sufficient:

$ cdrecord -v speed=4 blank=fast cd65.iso
$ cdrskin -v speed=4 blank=as_needed cd65.iso

As long as there is only one CD drive on your system, there should be no need to specify a device name, since it will normally be detected automatically. Also, both utilities will automatically handle burning the image to the CD correctly, i.e., you won't end up with a CD merely containing the image file but a bootable file system made from that file.

---