The HardenedBSD build artifacts are signed with an SSH key. SSH keys are used so that artifacts can be validated using only tools included in the base operating system.

First, download the SSH public key:


$ fetch https://installers.hardenedbsd.org/pub/keys/ssh.pub.txt


Then download the build artifact. For purposes of this documentation, the
compressed memstick installation image for HardenedBSD 14-STABLE will be used.


$ fetch https://installers.hardenedbsd.org/pub/14-stable/amd64/amd64/installer/LATEST/memstick.img.xz
$ fetch https://installers.hardenedbsd.org/pub/14-stable/amd64/amd64/installer/LATEST/memstick.img.xz.sig


Next, generate an `allowed_signers` file which contains the SSH public key:


$ echo "hbsd-os-build-01 $(cat ssh.pub.txt)" > allowed_signers


Now the signature file can be verified:


$ ssh-keygen -Y verify -f allowed_signers -I hbsd-os-build-01 -n file -s memstick.img.xz.sig < memstick.img.xz