Verifying Build Artifacts

The HardenedBSD build artifacts are signed with an SSH key. SSH keys are used so that artifacts can be validated using only tools included in the base operating system.

First, download the SSH public key:

$ fetch

Then download the build artifact. For purposes of this documentation, the
compressed memstick installation image for HardenedBSD 14-STABLE will be used.

$ fetch
$ fetch

Next, generate an `allowed_signers` file which contains the SSH public key:

$ echo "hbsd-os-build-01 $(cat" > allowed_signers

Now the signature file can be verified:

$ ssh-keygen -Y verify -f allowed_signers -I hbsd-os-build-01 -n file -s memstick.img.xz.sig < memstick.img.xz