Vulnerabilities and Digital Signatures for OpenBSD Software Packages

Vulnerabilities and Digital Signatures

Auditing OpenBSD Software Packages

If you audit systems on a regular basis, you eventually will come across an OpenBSD system. OpenBSD is known for its heavy focus on security, resulting in an operating system with a low footprint and well-audited source code.

While most operating systems are pretty secure, they quickly will introduce new security holes when installing external software components. Although OpenBSD does careful checks for packages they add, those might be containing still a vulnerability, waiting to be discovered. So in this article we have a close look at dealing with packages and what to look for when auditing them.

OpenBSD Software Packages

Packages versus Ports

OpenBSD has the ability to install a package or a port. The latter is nothing more than a smart reference to the original source file, completed with operating system specific patches. This enables the system to actually successfully build the program.

Packages on the other hand, are precompiled binaries, with configuration files and installation instructions. In this case the package manager knows exactly where to place each file and with what permissions.

OpenBSD advices users to use packages, as they are optimized and carefully examined. Besides that, it will limit the hassle users might have getting ports compiled, due to changes in the operational environment. The smallest change in a default compiler option might influence its behavior, which are better tailored for the dedicated people who build the packages.

Vulnerability Scanning

OpenBSD does not maintain a specific vulnerability database, like for example NetBSD does. However to determine what (security) updates are available, it is wise to follow the related mailing lists, and simply stay up-to-date with software packages.

Checking for patches can be done via the pkg_add utility. Use the update mode (-u) and don’t allow it to actually do the update (-s). The -x and -I are for non-interactive display and mode.

pkg_add -Isxu

Note: this will only work for snapshots, and upgrading between releases.

Digital Signatures

Starting with OpenBSD 5.5 the tool signify was introduced. The name is a combination of “sign” and “verify”. So it is no surprise that its goal is to sign and verify OpenBSD releases, includes underlying components like packages.

Signify components

To allow OpenBSD software packages being signed and verified, they are split into two phases. In the first phase a package maintainer builds the package. Then the package is signed with a secret key (private key). When a user wants to install the related package, the linked public key will then be used to verify the digital signature. If it matches, installation continues. If not, the installation is aborted.

Public keys

OpenBSD distributes the keys packaged with the base system itself.

# ls -l /etc/signify/*
-rw-r–r–  1 root  wheel  104 Aug  8 08:05 /etc/signify/
-rw-r–r–  1 root  wheel  108 Aug  8 08:05 /etc/signify/
-rw-r–r–  1 root  wheel  108 Aug  8 08:05 /etc/signify/
-rw-r–r–  1 root  wheel  104 Aug  8 08:05 /etc/signify/
-rw-r–r–  1 root  wheel  108 Aug  8 08:05 /etc/signify/
-rw-r–r–  1 root  wheel  108 Aug  8 08:05 /etc/signify/
-rw-r–r–  1 root  wheel  104 Aug  8 08:05 /etc/signify/
-rw-r–r–  1 root  wheel  108 Aug  8 08:05 /etc/signify/
-rw-r–r–  1 root  wheel  108 Aug  8 08:05 /etc/signify/

These files represent the base system, firmware, and packages.

Checks in pkg_*

To properly use digital signatures, they should be used before actually installing new components on the system. So the utility pkg_add got extended to do these checks. Next in line is pkg_info, which got a new -C option to show the digital certificate information as well. The result of using this option is a small line stating “reportedly signed by” followed by the name of the public key.

pkg_info output of digitally signed software package in OpenBSD

Digitally signed software in OpenBSD pkg_info

Signify tool

Another option is using the signify tool directly. For example when downloading new files, use the related key and signed hash file to verify the file integrity.

# ftp{bsd,SHA256.sig}
# signify -C -p /etc/signify/ -x SHA256.sig bsd
Signature Verified
bsd: OK


OpenBSD is known for its security and it was actually a surprise that signed software was only introduced in OpenBSD 5.5. But now we have this available, the chain of package release, up to installation can be checked more easily. This is definitely another good step to keep systems secure!

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)


  • Nice article Michael,

    > OpenBSD distributes the keys via a package

    The public keys are actually distributed as part of the base system, not as a package. They are also available via the source tree, printed on the physical release media.. and even tweeted by some developers.

    > pkg_add -Isxu

    Unfortunately, updates binary packages are only available for OpenBSD snapshots, not releases. This means the output of the above command will not produce meaningful results on 5.5/5.6. Ideally one should proactively monitor the ports mailing lists, or alternatively, for 5.6, use a service offered by a company like M:Tier. They provide stable binary updates for the latest release for free.


Leave a Reply

Your email address will not be published. Required fields are marked *