OpenBSD Journal

OpenBSD is Now Distributing Signed Patches

Contributed by weerd on from the significant-signs dept.

After the inaugural email appeared, Ted Unangst (tedu@) clarified the new policy regarding the announcement of patches:

Starting today, we're going to try sending patches out via email so you don't miss them.

Several previous errata have also been recently published for OpenBSD 5.4 and 5.5. We won't be mailing them out individually since they aren't new, but you should check the web site for details.

Refer to and errata54.html.

(Also note that OpenBSD 5.3 is officially end of life and will not be receiving any more patches.)

He sent a separate, longer email explaining in greater depth the new policy:

Now that 5.5 is officially released, a few notes about our signing policy. I helped devise the policy, but there are a few operational details regarding the who and the what and where I don't know (because I don't need to know). I'll do my best to answer questions, but if this email doesn't already answer them, you may be out of luck. :)

What should be signed and what shouldn't? In short, we will sign "artifacts" but not general communications. Artifacts is my word for anything that we put up on the ftp sites. Releases, packages, installer ISOs, patches, etc. (We're currently transitioning from ftp to http servers, which is likely to blur the lines a bit, but the web site stuff hosted on is not an artifact.)

If something looks like an artifact, you should expect it to be signed. Note packages (including firmware) carry signatures internally and are automatically verified by pkg_add. Other files are automatically verified by the installer, so the three files you will need to verify by hand are 1) the installer itself, using SHA256.sig 2) any src.tar.gz files you download, using SHA256.sig and 3) any errata patches, which contain signature lines in the header.

(One exception at this time: snapshots/ports.tar.gz isn't signed.)

Emails will not be signed. As you may have noticed, the recent announcement email to misc@ had some lines stripped out of it (compare with the version that arrived via tech@). Email isn't a good channel for byte precise data transmission, which would lead to spurious signature verification failures. We'd like to avoid that.

If, for some reason it is necessary to send out an announcement and prove it's authentic, we'll upload it to the appropriate place and email a link. As a particular example, we're emailing out errata patches. It is still best if you download the patch from the ftp server and verify it.

Of course, this applies to 5.5 and forward. 5.4 patches won't be signed.

The process of verifying sets is documented in the signify(1) manpage, basically it boils down to:

$ signify -C -p /etc/signify/ -x SHA256.sig

Using officially released CDs is even easier, you can order them here.

(Comments are closed)

  1. By Anonymous Coward ( on

    Thank you for sending out the patches via email and doing the signing!

  2. By Anonymous Coward ( on

    Send to where? or?

    1. By Renaud Allard (renaud) on

      > Send to where? or?
      > Thanks.

      announce@ and tech@


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]