Authentic pufferfish for penguins: How to create verified OpenBSD installation media on Linux
Note: Shortly before this article could be finished, the release of OpenBSD 6.6 happened and anyone installing a new OpenBSD system should now use that. The text has been reviewed to ensure everything written below still applies.
Recently, I decided to put OpenBSD on a spare old PC to have it available for reference, portability testing and gaining some insight into how this system generally works. While installing it turned out to be surprisingly easy, one thing that needed some investigation was how verifying an OpenBSD release image works and how to do that on a Linux system.
So, in this article, I'm going to show how that is done. And while
I'm at it, I will also show how to create OpenBSD installation media on
CD using Linux because the Installation Guide included in
OpenBSD's FAQ doesn't cover
that. In case you want to use a flash drive instead, you can simply use
dd
to apply the image
as described
in said Installation Guide. Beware that dd
will
destroy all existing data on the target device. So,
double-checking which device it would write to before hitting
Enter is strongly advised.
Before I proceed, let me say that this article is meant to be a mere supplement to the Downloading OpenBSD and Creating Install Media sections in OpenBSD's Installation Guide, which you should definitely read in its entirety if you want to install this system and have little or no prior experience with that.
First of all, here's an overview of the steps that need to be taken to create a verified, bootable OpenBSD installation CD on Linux:
- Downloading the necessary files
- Installing OpenBSD's
signify
program - Verifying the installer image using
signify
- Burning the image onto a CD
Downloading the necessary files
There are a couple of things that need to be downloaded in order to verify an OpenBSD release image. Apart from the image itself, these are:
-
the accompanying
SHA256.sig
file, which contains the image's checksum and a signature -
the release's signing key, needed to verify the signature contained
in
SHA256.sig
It's a good idea to place these files in a dedicated directory. I
used ~/Downloads/OpenBSD/6.5
because I was going to
install OpenBSD 6.5, the latest release at the time of writing. Then, I
used an additional subdirectory indicating the hardware architecture the
contained image was built for. This is a good idea because the file
names of OpenBSD's installer images themselves do not indicate that.
(Finding an image suitable for a specific hardware architecture is
covered below.)
The OpenBSD project offers several types of installation images, ranging from full-blown versions including all file sets[1] down to a tiny 1.44 MB floppy disk image. Their differences are covered in the Installation Guide, so there's no need to repeat that information here.
One thing to be aware of is that OpenBSD doesn't offer hybrid images,
meaning the .iso
files only work for optical discs. For
everything else, one of the image files with the fs
extension will have to be used.
As I was going to create an installation CD, I chose the
cd65.iso
image (65
meaning that this is
OpenBSD 6.5). This image does not include file sets and is thus fairly
small, not exceeding the size of 10 megabytes for all but one supported
hardware architecture. The sets can be pulled from the network (or,
alternatively, another local medium) at a certain point in the
installation process. Installing OpenBSD this way is kind of similar to
using a Debian network install image.
After choosing which installation image to use, you'll need to obtain
a variant of the chosen image that is suitable for the processor type of
the computer OpenBSD is going to be installed on. The
Hardware
Support section of the FAQ has more information on that. The
machine I later installed the system on came with an AMD Athlon XP
processor, which meant I had to use the cd65.iso
variant
for what OpenBSD calls the i386 architecture, i.e., the standard 32-bit
PC variant.
Installation images for the latest OpenBSD release are linked right
in the FAQ's Downloading OpenBSD section. Alternatively,
the release page – e.g., https://www.openbsd.org/65.html
–
provides a link to a list of mirrors, you can download them from. Those
mirrors are also the place to obtain the SHA256.sig
file
for the respective release.
For example, I chose to use the mirror at
https://ftp.fau.de/pub/OpenBSD/
, navigated to
6.5/i386
in its directory tree and then downloaded
cd65.iso
as well as SHA256.sig
from there.
Next, you will need to get the release key. There are actually
several keys coming with a release, but only the base
key
is needed to verify an installation image. As of OpenBSD 6.5, a file
containing that key can be downloaded right from the release page. The
other ones as well as keys for prior releases are available from
the
src/etc/signify
directory in OpenBSD's public CVS
repository, with key files for older releases hidden in the
Attic
directory. Running any of those older OpenBSD
versions is, however, not advisable unless you have truly compelling
reasons and know what you're doing. The reason for that is simple: “Only
the two most recent OpenBSD releases receive security and reliability
fixes for the base
system.”[2]
Key files can also be put together manually, using the keys as
provided on the respective release page. This can, for example, come in
handy if you have the page printed on paper or saved to a file and no
Internet access. The key file format merely demands that the key itself
be preceded by a line starting with untrusted comment:
(including the trailing space) and then some arbitrary text. As the
purpose of that comment is to “be used as a hint for the name of the
public key” (signify(1)), it is a good idea to follow the form
openbsd <version> <key name>
, which is used for
key files provided by the OpenBSD project, for example:
untrusted comment: openbsd 6.5 base public key RWSZaRmt1LEQT9CtPygf9CvONu8kYPTlVEJdysNoUR62/NkeWgdkc3zY
Installing signify
Unlike probably all Linux distributions that provide signed releases,
OpenBSD does not use GPG for signing and verifying its releases.
Instead, a program called signify
is used. It was
implemented by Ted Unangst explicitly for that
purpose.[3] So, in
order to verify an OpenBSD image, signify
needs to be
available on the system used to perform the verification.
On Debian, there is a package called signify-openbsd
,
which contains a portable version of the program. On Void Linux,
it is provided by the signify
package.
As my main computer runs Devuan, which is, for the most part, the
same as Debian, I simply used apt-get
to install the
signify-openbsd
package:
# apt-get install signify-openbsd
Verifying the image
The verification procedure then goes like this: First, the
signify
program will check the signature contained in
the SHA256.sig
file against the release's base
key. If that goes well, the SHA256 checksum for the respective installer
image in SHA256.sig
will be compared to the SHA256 checksum
your system calculates for the downloaded image file.
To verify the image I had downloaded, I did the following inside my
~/Downloads/OpenBSD/6.5/i386
directory:
$ signify-openbsd -C -p openbsd-65-base.pub -x SHA256.sig cd65.iso Signature Verified cd65.iso: OK
As signify
's manual page explains, -C
tells
it to verify a signed checksum list while -p
defines the
public key and -x
the signature file to use. Finally,
providing the name of the image file to be verified prevents
the program from trying to verify the SHA256 checksums for all of the
files listed in SHA256.sig
, which would result in barrage
of error messages because all but one of those files are missing here.
Verifying only checksums
Up to version 5.4, OpenBSD releases were not signed and the only way
to check whether a downloaded image was corrupted was to compare the
image's SHA256 checksum to the one provided by the accompanying
SHA256
file, i.e., to perform an integrity check. This
method can, however, only detect accidental corruption. But that's still
way better than nothing whenever using signify
to verify a
release's signature isn't possible. OpenBSD still offers unsigned
SHA256
files containing all the same checksums as the
signed ones. However, it's also possible to use the signed version
(SHA256.sig
) just to compare the checksums. The
sha256sum
utility will only complain about two extra lines
in that file (those making up the signature) not being formatted
correctly:
$ sha256sum -c --ignore-missing SHA256.sig cd65.iso: OK sha256sum: WARNING: 2 lines are improperly formatted
The problem with merely checking an image's integrity is that it only
verifies that the downloaded image is exactly the same as the one
provided on a particular server. It does not provide any means of
verifying that it is also the image as intended by the OpenBSD project,
i.e., authentic OpenBSD. If someone provided a rogue image with an
appropriate checksum file, an integrity check would not provide any
protection. As mentioned above, the signify
program will
instead first perform an authenticity check, comparing the signature
contained in SHA256.sig
to a public key published by the
OpenBSD project and only if that succeeds proceed to verify an image's
integrity, making it much harder for anyone to circulate intentionally
corrupted images.
Burning the image onto a CD
The cdio
command used in the OpenBSD Installation
Guide is OpenBSD's own utility and seems to exist on that system
exclusively. So, Linux users will have to find another tool for the
job.
Whatever the tool you end up using, please use a rewritable CD if you have a choice. It's simply nonsensical to waste an entire 700 MB medium for an installation image that consumes much less space and might be used only once. Also, there's always a chance of something going wrong in the process, either due to the user making a mistake or some software or hardware error. Using a rewritable CD allows for starting over on the same medium, which any sane person will prefer to creating a pile of unusable discs that can go straight into the trash can.
The de facto standard utility for burning CDs on Linux (and most
other Unix-like systems) seems to be cdrecord
from the
cdrtools
suite maintained by Jörg Schilling. However,
Debian notoriously doesn't ship cdrtools
. The same is true
for Devuan. But there is a viable alternative in Debian's package
repositories: cdrskin
, which is part of the
libburnia project. Void Linux offers both.
For simply burning an image to an empty CD, both tools share the same syntax:
$ cdrecord -v speed=4 cd65.iso $ cdrskin -v speed=4 cd65.iso
For overwriting a non-empty disc, running one of the following two commands should be sufficient:
$ cdrecord -v speed=4 blank=fast cd65.iso $ cdrskin -v speed=4 blank=as_needed cd65.iso
As long as there is only one CD drive on your system, there should be no need to specify a device name, since it will normally be detected automatically. Also, both utilities will automatically handle burning the image to the CD correctly, i.e., you won't end up with a CD merely containing the image file but a bootable file system made from that file.
[1] The file sets (or just sets) are simply the different software collections making up the OpenBSD base system. There are 11 of those. See https://www.openbsd.org/faq/faq4.html#FilesNeeded for details. [back]
[2] https://www.openbsd.org/faq/faq5.html#Flavors [back]
[3] In a
talk
presented at BSDCan 2015, the author gave an in-depth explanation of
why and how signify
came about and how it works.
[back]