<!doctype html>
<html>
<head>
<title>signify: Securing OpenBSD From Us To You</title>
<style>
body {
max-width: 720px;
padding: 2em;
}
.title {
text-align: center;
}
.main {
font-size: 1em;
line-height: 2em;
}
em {
font-style: normal;
font-family: monospace;
}
</style>
</head>
<body>
<div class=title>
<p style=font-size:2em>
signify:<br>
Securing OpenBSD From Us To You
<p>
Ted Unangst <tedu@openbsd.org>
<p>
BSDCan 2015
</div>
<div class=main>
<p>
<h2>Introduction</h2>
<p>
I'm going to talk today about signify, a tool I wrote for the OpenBSD project
that cryptographically signs and verifies. This allows us to ensure that the
releases we ship arrive on your computer in their original, intended form,
without tampering.
<h2>Alternatives</h2>
OpenBSD had already been publishing checksums, but although a SHA256
checksum is ctyptographically secure, the checksums themselves were not being
communicated to users in a secure manner, and were only useful for detecting
accidental damage.
<p>
One idea that floated around (outside the project) was to use HTTPS. I
don't think this was ever seriously considered internally, but whenever some
people hear HTTP is insecure, they just assume the answer is HTTPS. Some
reasons this wasn't going to fly. Violation of end to end argument. We want
to make sure that the artifact we build is the artifact you receive;
ensuring that the artifact your local mirror sends you is the artifact you
receive is not nearly equivalent. First, many mirrors are run by friendly
people, but not the project. We don't actually control them, nor do we want
to. Second, this puts all those mirrors inside the circle of trust. That's
simply too much surface to confidently declare secure. Third, this proposal
often implicitly included buying in to the CA model. We would prefer not to
delegate final authority over what constitutes authentic OpenBSD releases to
several hundred people we've never met. And if not CAs, then why use TLS? It
takes more code for a TLS client just to negotiate hello than in all of
signify.
<p>
The first most likely option we might consider is PGP or GPG. I hear other
operating systems do so. The concerns I had using an existing tool were
complexity, quality, and complexity.
<p>
There was a PGP usability study conducted
a few years ago where a group of technical people were placed in a room with
a computer and asked to set up PGP. Two hours later, they were never seen or
heard from again. Even though the end user is actually shielded in most cases
from ever directly interacting with signify, I felt it was important that
users be able to quickly understand how everything worked.
<p>
We wanted to ensure all the code involved in signing met our quality
standards. Without digressing too much, we have much more control over the
quality of code that's developed in tree versus code developed elsewhere
and imported.
<p>
The complexity of the code is also a factor. All those complex features
require lots of complex code, which balloons the size of the import and makes
auditing nearly impossible. Even if a perfect PGP codebase existed, how would
we be able to identify it? Or as
<a href="https://twitter.com/matthew_d_green/status/564520941246754816">
Prof. Green put it</a>,
"Can someone who built GnuPG 2.1.1 on Debian/Ubuntu give me a hint on which libgpg-error you used?"
If he doesn't which libgpg-error to use, I doubt I'm going to pick the right one.
<h2>Start From Scratch</h2>
<p>
So screw all that. Let's write our own tool, from scratch. How hard can it be?
<p>
Well, we have some decisions to make, but in many cases we can reduce our
implementation effort. Most importantly, if our choices are A, B, C, or D, we
will never pick E) all of the above.
<p>
First up, we need a crypto algorithm (and implementation). Fortunately, some
Ed25519 code had recently been imported into ssh. This reduced the candidate
search set down to a single choice which only needed to be vetted to make
sure it was a match for our requirements.
<p>
Next, the plumbing. What metadata to include in keys and signatures. What
metadata not to include.
<p>
The interface. We need to sign things. We need to verify things. How many
command line arguments could you possibly need for that?
<h2>Ed25519</h2>
<p>
Although the Ed25519 algorithm is at the core of signify, it's not what this
talk is about. Nevertheless, it's important to cover the highlights. Ed25519
is a variation of the Curve25519 elliptic curve used for Diffie-Hellman key
exchange. Elliptic curve cryptography requires a much smaller key size than
RSA or DSA for equivalent security. This particular curve was designed by DJB
to facilitate efficient, secure implementations. And whereas traditional DSA
or ECDSA requires a random nonce, Ed25519 uses a hash of the message for the
nonce. Insufficient random nonces have led to some catastrophic failures in
other signature schemes. Basically, take all the received wisdom about what
you need to very carefully not screw up, then make it impossible to screw
those things up. Pretty slick.
<p>
The only likely complaint is that the security margin of 128 bits is on the
small side compared to some other curves. It's only heat death of the universe
secure and not heat death of all the universes secure. Now, even if you are super paranoid
about this, the good news is that signify keys don't need to last forever.
I'll cover key rotation in a bit, but being able to forge signatures for
past releases of OpenBSD is of very limited value. This is quite unlike
breaking an encryption key, which may let you read old secret data. If in five
years time, the TILT-A-CURVE exploit renders Ed25519 useless, we move on to
something better.
<h2>Files</h2>
<p>
Let's look at a signify key.
<p>
<img style="width:400px" src="data:image/png;base64,
iVBORw0KGgoAAAANSUhEUgAAAMgAAADIAQMAAACXljzdAAAABlBMVEX///8AAABVwtN+AAABw0lE
QVRYw+2XS27DMAxEaWihpY6gm1gXMxADuph9Ex/BSy0EszNMnd+6YRaNkCZxXoCw1MxQFvmuf7Wy
qrZBe9GqvC643n0J/prIZUmzxFlkFBmcSdSNtQ37JBFljknXD5Ax9QHd0Vk+R+xjZXfeRbgLg85l
n3JkBc/740HUWl9Xkrq1F406EFvDHg6+hu3Vkg4kN5S3asVja5etSWreJC54TjM2hV+CHW59cyLU
BN5fyGVio/QQX6JLjgfd2JFIVOzpEi+SUQoaApdgcyZWGt9C5Nr6ytbHnpm9xZdAhpvVpp0NiEsi
9CTYecUla8sNbkQeHM4EVmxlD+selEZYki6+xFpimpi4VWzN6Ex+U9nG35Qhj7sXvMiSxU4BkGtA
d+Q+MXyIGQUCRSwKUjmuetfonxJ7n+oh+Pm68chz+tSLYNzwv+bsxQTk8DlrcyNIQRR2UIkB0XDT
gRuBCDB4FQOASmSFxZvINYcTPuzZviSuxNxYmEQdZzEas43O5HSJmBtRW3w8EXsQu/vArUfiKUDs
fuyNJDD5cO7lz5dPECZSt0Q6UlRnYoZEIiETr4n0OAFdiCmRMxjxSCU+T0AH8l3fJT8x+z62pTpK
PwAAAABJRU5ErkJggg==">
<p>
Feel free to take a picture if you like. That's the public key for the current
5.7 release. Technically, a key will more likely and more conveniently exist
in text form, but if you are concerned about how to authenticate that the key
on the website hasn't been tampered with, and the CD in the mail wasn't
interdicted, you can always come to a BSD conference and take a picture.
Assuming you're foolish enough to trust your camera's image sensor firmware.
<p>
The text is probably a little more interesting. Here's the
/etc/signify/openbsd-57-base.pub file from my system.
<p>
<pre>
untrusted comment: openbsd 5.7 base public key
RWSvUZXnw9gUb70PdeSNnpSmodCyIPJEGN1wWr+6Time1eP7KiWJ5eAM
</pre>
<p>
The untrusted comment at the top is a little weird, I'll admit. Especially
since it's the closest thing to a user servicable part here. Everything else
is hidden inside a base64 encoded blob. So this is telling us that this is the
public key for 5.7, which we could infer from the filename as well, but maybe
the name has been truncated to openbs~1.pub. But at the same time, it's telling
us not to trust it. It's a messy solution to a messy problem. The human factor
will always remain one of the weakest points in a secure system. Despite
efforts to make signify verification just work, invisibly, one of my biggest
fears is that users get tricked into trusting a fake key. If you do a little
research into what people find trustful, it's usually not what they hear but
what they see. You won't believe a stranger who tells you a key is legit,
but if you look at yourself, you're more likely to believe it. So here's a
little hint that maybe you shouldn't.
<p>
Inside the base64 data are the fun bits. Decoded, there are 2 bytes which say
"Ed" in case we ever need to change algorithms, 8 random bytes used to detect
accidental key signature mismatches and give friendlier error messages, and
then the 32 bytes of actual key. A signature is exactly the same format,
but 64 bytes long instead.
<p>
In the interest of promoting inter-BSD cooperation, I figured I'd also show
you the FreeBSD security officer key in case you'd like to take a picture of
that as well.
<p style="font-size:4px; line-height:4px;">
-----BEGIN PGP PUBLIC KEY BLOCK-----<br>
mQGiBD1rpGQRBACJ1CQS7VnTTvH3wjscXQed2RoeVi+n3HtxaF9ApJbxb77dXk+/
DL1ZR0bcZ8s7uQ1D5BkrqSHevoA9FlEN02MM9qyIerXter2/ZEporVOG+/XMkIiV
rd3AgVwUnawhOMKTlYmttcOpADKr9RkYvCT6QMqFDXJssbW7gPlEqOzhYwCgoIdD
ygZ5RdfXm/hBnp+oTWadeIED/2WvL/Iy0YheRTSmTvEdK+Cd4xPhmY2SrrvF2+lE
oFIn94C0fJhqKhJp+wGXmQ/h3yF0gcr1NfFBm6y1iztEz2n0ciaEmMf1tu0Y+u+Y
E0/1Igpoj9Kj5xxRJD5wYyDi0qzxP8BhvJ6sKJtO+f6/OIgZ0ITYWakim7d3RrNV
0ditA/0XUvDgdEB0hm7iqR8FbwKNmS8DVKGs+CYrFwSBJ0vUH65WFapbdWbi2uwm
8CDKgSWpS16/PVr/ql84ePWdiVhHYmkkjuWPUFHSUcDiYL8YG9rnymw6Enx3Nyyr
ewiUOJFzWN6/u3O4x2M9ljrQQ1FmmAbw9R4KT/KHOyBC0W+xHbQ3RnJlZUJTRCBT
ZWN1cml0eSBPZmZpY2VyIDxzZWN1cml0eS1vZmZpY2VyQEZyZWVCU0Qub3JnPoha
BBMRAgAaBQI9a6RkBQsHAwIBAxUCAwMWAgECHgECF4AACgkQFdaIBMps37J/wQCf
epaHjByMpiZ4IJ7I5va1CwHjTkwAoIWSaoQOtqTuUupwzv4bNpPSBWbBiGAEExEK
ACAFCwcDAgEDFQIDAxYCAQIeAQIXgAUCUkUymwUJFVe2HAAKCRAV1ogEymzfspbW
AKCDvRJCLhfcdt+Rs8j6rxNZeaiPugCdGf70yZDhLmHuZJcirtNKShReca2IRgQT
EQIABgUCPWurSgAKCRCMMoz/FgbbldR2AJ9TkXexibjUd/bysiVJnNAxq3S2FwCg
j2AK9NlD1soRBvC0VVYiTbB5TxWInAQTAQEABgUCPWurawAKCRBVLh4uc9KIpYgV
A/9RhH/BsCRrvLRyTQgtXVFF0bZdKeZxvgxJZ/8tnAx+ZpDncwL6kdtFZsxmplWX
CshFKjCf2pG+YVPSnjtF0nlOgpLwbwcj29Un+2M1TZth9216WvBk++M4noyfj6vO
Rsvc7NQ5kuokLQsq8+gEyZM3OxbtDaDIQx8i6MFueG/PdokBHAQTAQEABgUCPWuv
bQAKCRBnwoCPM8Fie7k1B/95K8U9+QunBDYcYbn/afd195xb5TYUEeHV5Qs2RES1
f78CLE+95jnAno2XfPW9ip6Vk3bHD/66MT3ZuMQhk9BYzzLbEZnbKck9wiwhOhva
Y5C/5R4+AK6fcTfE9EKj45vSOG5PjkxKhIVh5PDXGAwtsIY3sujBMAbeDPK3IkAs
Ya5rC/5X11SCnofkZW/u6RM3Q44MWD0b149sueSvb9NKNk/0oi2HgBgsA6Ziodyy
y5b9QIdvNC+gOajstneVLCWahONnr9npAJse9fS90/SYMbH8/BcRpVHT6TG1Jwoe
6fWegEEDjwDAw021msQc9FUfW/FpJMZiou2cFXXP5vpSiEYEEhECAAYFAj1r6bYA
CgkQbGPaBITQ1+flVQCgxKicYCuXL7hT3Iz/i5YK8vyZy/YAnRpwkzbKaEMnVzMn
smeFMTxejsexiEYEExECAAYFAj1sgqQACgkQhDa3C3+GgmhvrgCfUEAGrporit4V
G/xddNf33zi5jFIAniCdksJJ0DhTekfIGxBOvwq0Nh1viEYEExECAAYFAj1tVWgA
CgkQObaG4P6BelCYDQCgnyVaUr7s/PJhJYpwi256vJ/Ha4EAn1KbR6Wc8JZzv6Bh
+iXkwP5fvgVgiQCVAwUQPdMiy01WKCF5BQwRAQFr5gP/XnIcMS41EP7ooB5Q0th7
QSBtLFCauRCoib7uKmOM5RfftQlSVqvnLOkrIFe/9a9iS9TGSUrphJF3dztcvtp3
0VzsgjZ59NRI7Nlg//FR4re0UFKf3gvHlyYaMd/hYc8M4NDPacAqoSjbMwyXAIKH
UrPYZj+ELOqaW2mWsRGNQUCInAQTAQIABgUCPd1MsAAKCRDhyUtG3x3UcTr0A/48
M61zbAKzmJ0kHZ+Q6ssXtBb1Cd8YSCUGqlr7i+LvyJgdB+ebyUzzXE8KOektIjxj
y0TtVTgsZE8YLW/EdoLKoa6Zw+BQKLuUxH/xEaz7la3kOwrXXOVnmA3zWrKzXFFT
aqaFf8dddCb5iJ/f0aafBNdocaUphSyoJZwyVo4Z2YhGBBMRAgAGBQJAkt8pAAoJ
EOuA3h2LcdOkAuMAoKCz8SumnyZCf1T1C3rMdbmbYNkBAJ9YCNF2x/dPRsxSeKbu
SmBaHlPYH4hFBBMRAgAGBQI/bZczAAoJEN68VxqalnmwSaMAn1l/3BJQzSdWwKd5
1a9x+kxActRyAJi6s5sCKTv9opL9Wj9rWrb9ZPj3iEYEExECAAYFAj9i2VEACgkQ
TyzT2CeTzy0btgCg3BceMu8hKtRCW16fAd0vtHoSp1sAnRLvJuDmypHO3mgvg3TE
Y7gYNsEziEYEExECAAYFAj9iF9kACgkQyIakK9Wy8PuqIACgmj3gpbfiPpkx/tG4
Yf7mxzq4juEAn3cLYlJwL+dcZ074wY2pXfd7cHNliEYEExECAAYFAj4cXQYACgkQ
2MO5UukaublYAQCggRDpTQCl7fpUnunAxxJzK0fOuW0AoIjRbboNnilOL2o4fmt1
TaCRxp0jiEYEExECAAYFAj4cWrwACgkQbZTbIaRBRXHJjACePSDDtm3jIlezrxKu
F+RRo4w+3OkAn1BqRElRGWu8HrG9xhO9dE0jIG0LiEYEEhECAAYFAkBR5+EACgkQ
OO1t8kNcHJqBnQCeIHpxX8Zg3ZYa6ivBJe5AKZiWd8MAn2np9GJi9BMTTLTX2sL8
ekC2lzjaiEYEEhECAAYFAkA+wrsACgkQqh18sBJn8JIccQCfTTO0ZIdIp5CAqlha
drSuNhU48ygAoMmB5mXUlcaV8ee/VlLqSupEqJ51iEYEEhECAAYFAj9h5/cACgkQ
2MoxcVugUsM2vQCgrsl5oItD6odM0TkfSYx273P7WCEAoJDyxJ7b3Xy67sOf1xPh
FXbwmKOaiEYEEhECAAYFAj8+BuMACgkQ2z/V939+MWMItwCfTZsRZJujvGiFYCT3
8JXYY10DOE4AoIPcHvW1WvgMLothdYGLuSADkWrSiEYEEhECAAYFAj67eiwACgkQ
72rIAB3Lz7eyEwCgv5WXThEaxz4fnvKpe8M9xC1qJhsAmgJxO/as8NajfegYmW4u
Gwxt772biEYEERECAAYFAkBHsmYACgkQMEuQSofRzg/UawCglF93sAXFzUFgrPAh
AJldt6l5fkUAmgKVuaJVV5em8kpR/5iz77WV2TsKiEUEEBECAAYFAkAiqvAACgkQ
1hDu5GjD2mW+VgCgxPsh6evF8lP5m9qOA8Dw03SOVOUAl0UuwwXoTlIi550tPdZ4
apxDpFyIRgQQEQIABgUCP+P6fgAKCRCT72NexbJb07I5AJ9g5j8LUeynnc8Qdaa3
2/ELvsgMxgCgmAilm0OaV+GI6VrWMwra+oy4CU6IRgQQEQIABgUCP33yEgAKCRDn
Qgt4utuOEaxTAKCMA67/PUI62JfKwUuow/6NL26W2gCgnMthTlLATPwz2tNeL+Ek
g3o+hF6IRgQQEQIABgUCP3HtvQAKCRBNrPLCwxI7HxuyAJ9/a0KffzpWw2g1lAT4
P7c9eD709wCgkcR0gypA4PPqNlmWlwAWycLb08+IRgQQEQIABgUCPuGahQAKCRDF
CSV+DzAaLn9JAKCWJ4Boe6dag2ukC6jFugnYcloLDACfd5nTjGj2mjJiv16rP6es
KAkz4luIRgQQEQIABgUCPmKk6wAKCRBuxMs5TCWbRzvoAJ4rBT4UpsnuSXHm+W7H
Z1D2wf1wrwCgy0ZnBUT3fFOd1VCDSJLUpSrbE8WIRgQQEQIABgUCPmKdCgAKCRDh
qZsPqaYP4ycuAJwL7n7cri4NzC9yvqW9Gl9nZptpUACfdIRzYqBamZbyO4rOa6Jl
uhH8JAaIRgQQEQIABgUCPlxY8wAKCRDnZkDIb0WuacbQAJ97zdAe3/5VX+d6A8vK
/keJbkKcJACfS7e2yRBp6i/VC5G7bqZvYZqxKYGIRgQQEQIABgUCPkf7+wAKCRB+
kn2FdkGYY2SPAJ0WZWC2fNfdq6cLZPkiWGVnLY/PuwCg+t143ijjKQj61IGoU3ch
hRkYl7yIRgQQEQIABgUCQDeVLQAKCRAqbV2p6xmZrAJJAJ0U+DCVqGxkdSAcfbgm
hkSxW9yuZACcDN88/I6tTSm3/l/occuN7mQGOiOIRgQTEQIABgUCQH+KJAAKCRA1
nhUBgs2eQzJKAJ9hLUeoJ1KhzvmSftxFIAdjoyaB+QCfQZ6UDZDksdUYES0HyZaM
LoEnNsSIRgQTEQIABgUCQSeEqwAKCRA/oN4IoNORaOFPAKCE7SBgOuugO9OOq7LX
nziKHN/PlACfS6tHZbyt4A5HQfwh8G6ay43/7N2IRgQTEQIABgUCQLYRzAAKCRD3
RQ1yObRVQXmtAJ9NP/a9aYNJ6oLx0rlmxIuK6q0ezgCdHg++QjH5OSeEpTYTBxUT
kJWkfDqIRgQTEQIABgUCQLIoXAAKCRB5A4OpdGbmU+7CAKCi8EmsmWPUHVYzCksh
JL6rjcC4IwCeNdpDKcYiOqjrBGmBXYLHN62FgYWIRgQTEQIABgUCQKrpNwAKCRAV
G6mUEXXC4zQ6AJwJjeizo5nnCZ0Qzeo4keC1XPkUpQCffz/qkjK07PRGEfP3FE8m
OuUYIyWIRgQTEQIABgUCQKqnpAAKCRAHYXOxkoTEUrHuAJ93vaIg6+mJX3HDSb2f
vuJQiR2AHgCdHd+yVP5sqYXGeZ+ragpL9sP6K7+IRgQTEQIABgUCQKqCfwAKCRAP
WuglNDguUY1NAJ4wcyUIfCQMXvQ7wqToAH2sJULFJACgqlUFO1GoXQKTvG4JGnfn
0A8D/WuIRgQTEQIABgUCQKjgbwAKCRBxzq+s7KKK22EwAJ42eTYNPJ2bEHL5bgnl
+sgxDCx6GQCfXIFX+AgG9d5TMVf7qj/JKDQXU9KIRgQTEQIABgUCQKjfpgAKCRCg
7/ngeafIcHhRAJ9Vt5ZVFnqstoF7PS+Sl9mybiDdgACggm566eWLJjlax7v4YgDV
P80r8l6IRgQTEQIABgUCQKhLnwAKCRD9/49Y5NtE8tVrAJ0UoRfpoYzGFafo5xOn
tCl6ijp4EQCg0tAVYXnuE4egIEPRB5vtTui5ZL6IRgQTEQIABgUCQKhLnAAKCRDS
D9QFytUJxv8/AJ9fThcbzZTiJv68+i9CrWeZdIUY9gCfbBZoHsaX3GoWQvVLXozg
UxQD1OiIRgQTEQIABgUCQKfupgAKCRB9vQuV7YwgQnJSAJ4mDNsLfr8rBJZgKaks
zvb9W7HRFgCgmFN1I64Cnjr/gET0a05XLSWpnN6IRgQTEQIABgUCQKd8nAAKCRDf
7jeUa+yYCrC+AJ423DDnUbT3auMicWgsBTRioFOHBACfe/773KoNw9MA+0NFygQx
KS0+WYmInAQTAQIABgUCQKnAwAAKCRAff6kIA1j8vdTTA/9UzhCtYCc4vFlD8KDp
m4jGxfGxy420u+VdytDMJdpKWxiGTH7mKq87KGKKzsRli7m/Aeeyy6qezw8LgHlc
AkC5H/438Qfy3gqc//KohzTCngp+lVh/A82q71e+aqM6Zdq/qpg4ZIcNyzKyIBN4
3MSsMVuZApPoR4ecyMXgdllt+ohGBBIRAgAGBQJA5EuHAAoJED8Szz1kFZUJw60A
niDmbeslCVAQZJNxJsxZs2E4kV0ZAJ9Qjjh5d1cm05cTAjjOzEV2SLXpbIhGBBIR
AgAGBQJAsOzKAAoJEH63kt8ZH82KwNsAoKkZuz+38bJ961/LczZF92x0hdxIAJ9Y
HM8/GzeWZG0zq9XHevuibrfdyYhFBBIRAgAGBQJAquvkAAoJEEuzpm9+s1JA58QA
l2BPvrAyoyIcMODMfz80XcD/V9QAnjqI53HdvHKEusjWgeBFz2LMFtiZiEYEEhEC
AAYFAkCo+K8ACgkQM4SDxAv8uX4H9ACeJhldCoPQ8jPLXLeFvoIFLI2M5OwAn14Q
+n+iH5pyXZUO4+crfghC1B4ViEYEEhECAAYFAkCoC7EACgkQDMt+/gswqTtE8wCe
OYv6sCNDH1LS081Io1+4WddTM2YAn0UXd+aIt17uSqgNJD+31mbpldEdiEYEEhEC
AAYFAkCn3TMACgkQSUWlN9d7Q/tBoACghHZaTNqIV03NVSPW94hifHXH6Z8AoIXZ
43KpCmgk4cFI8dzGauB2ggZriEYEEhECAAYFAkCm/AkACgkQF47idPgWcsWfhwCc
DdggxPA9FNa9CFUZeoRQgz7vrUgAoIIaIC3f5Ci/flk4LIpD+8OTkETJiEYEEREC
AAYFAkCm2DEACgkQ6SYtkGO1mF+woACfX9IlrfU63iR+LvT8RUO4whUug/QAn2c0
AlM5wsSQUVYnRl7E5KphSKNSiEoEEBECAAoFAkCm0/gDBQh4AAoJEPYcyLWu8zhH
NIkAn0xhy9EjBPURUFO6teiTB9wcwno6AKCGwl2XUa9TyrKcnpNlHR2nWhvEkYhG
BBARAgAGBQJAqukfAAoJEBUbqZQRdcLjAn0An0TdGpuJxIHokIf0VMI2kXLc/6fe
AJ9WF3rNR2/zc/fk9psqHpdb9W6ItIhGBBARAgAGBQJAqWMbAAoJEGlqm6oW1qT4
8HAAn0drFNBEJ/q970omFYwptBqNZ68JAJoCJ5wIzYKmtytEuc0fgmLOQR8/yohG
BBARAgAGBQI+eTKEAAoJEJAtvZGMOKkKnOQAniJX3xzZ7uWHHTnnSFVQ+cQIdHAE
AKCDOhDg8BFu+brIv63YgzvxGhJcU4hGBBARAgAGBQI/fWYfAAoJELcM/uw7sga/
ulMAn1/jrciw6qJ4Zzp9fXj4tNKkI3hFAKDfiJyUaUf0KJn2buZVpZQIzBsJ8IhG
BBARAgAGBQJAyTLtAAoJEEcxdTMMgeE8SCcAoMUQPwGijQMIEhOqYVKgpHtoJMJw
AKCRT4bUCO4RMGX2QZe9Wt59QUkBbIhGBBARAgAGBQJA5WgKAAoJEFhOU3zw+3u3
UKMAn1WW2WZBBmuhZSA+qxyPuKdRqVgSAJ9B4KhrMFFuzxiKFa14/4wMOIVZhIhG
BBARAgAGBQJB9Na3AAoJEKH3GNLIXe3AXWMAoJzU1RKakiSrTaDWGRk/Ly0zVr4s
AJ9pt+bsB+ArJTjUyrbkDwDpitDV1YhGBBARAgAGBQJCSIaFAAoJEGmo7Unq2nxZ
NokAnA8WM1WobqfbQ9xJbAZpneezHTf/AKC4kbDUDr+b0Dxr0tocT2Efk3yao4hG
BBARAgAGBQJCT17CAAoJEBi2sjIC/3GyOKkAnA1o/lqo3WdBR0aqj6Qmg9dHqyQP
AJ49/qJFJrNO5kwk8azN4CCJzGY0rohGBBARAgAGBQJCe2iZAAoJEPMxmA5OilAb
UgoAoNd6HscseNFee9fE8305ujhGfcuxAJ4nT1RlwoOEpcF6YRzbNxgz2pVe7ohG
BBARAgAGBQJCinGSAAoJEN+ig2JUF1no1NsAn1ZGfKRP2L7njOuzwOEW7swas6UW
AJ0Tf+IBf8fuuo2Ihc6Np1ze67Ti2IhGBBARAgAGBQJCqgu3AAoJEKK7Smn1q0T/
n6EAn32upJu7p8WWtYbR27LLKrXpl/H4AJ9QGsowCK3VyMAES4irU73T9BVtgYhG
BBARAgAGBQJC7B6hAAoJEINk48Y0qnRPlEkAoNXnLLGCNWILyMUvhxSXAyZ5xFs3
AKDqeqqPVWZxzgF0qa/GetzAYPCJNIhGBBARAgAGBQJDb3R6AAoJEK+1mC+KAcSn
tRUAn0kl7pUHCOU77xfrjLWvszlq97giAJ9hQHMzuEqrEnpP+JWLNTy1+rVCAohG
BBARAgAGBQJDzhwGAAoJEDl84qgJDKm0EzcAnitO6fkU1KmnC0hqcpDQCNzJT743
AKCOSf5lEeLQeRjJLAjWBLstOEM57IhGBBARAgAGBQJD4aXHAAoJEMMQ14pUoOQX
VzMAniGfPL9myk46V/ESjoD3HHp6rZxdAJ9kBWJirGJMf1xLR+P/1/xhQ6AVaIhG
BBARAgAGBQJEUlIyAAoJEAssGHlMQ+b1UGEAoJECFUozma7E9Asmq5/SfaxqNTvM
AJ9uDRNRY8cVU+jZe5IAdLX8mTlgr4hGBBARAgAGBQJEkExNAAoJEJjt8eIHzJ5l
vFkAnj/yQBZE3ozWTVkGpySNwhx9JshzAJ4j0UHi+FeuyM+/1zAuBUPJfSM664hG
BBARAgAGBQJE1vEOAAoJEKIjlRMQhVQt3nAAn3aZ+RIOG5GhLjpvqy1OOr178Q1A
AJsEQk83rTJdBmXp3L43RD3crzFr8YhGBBARAgAGBQJFFsqyAAoJEKctGR6SoTMk
ROkAn3X+A+3ztaJ3TzQb5zyMTzkb77RsAJ0Q/Iu+xxIksgIMKj6e/3YdMG+m9ohG
BBARAgAGBQJFVx0aAAoJEDDUOm5k6+Ig7XcAnjNDKUxQwTH7pXu3H/mZU2LoOLNt
AJwMcjCeNwq3QYhlq4RjZivS6SzLY4hGBBARAgAGBQJFm24aAAoJEFpDCyQ8LuZq
eMwAnjvYrEl0MYUWDJON71k3AE80KPhHAJ94HusVFkxy8AIshFd7ykyHxbqehIhG
BBARAgAGBQJF+uPGAAoJEKenCzN5XdlxXuYAn2cKkEBQPgl+/sK70vs2kR/sFuEP
AKCfo09LN9cWyUyGVlyMmOM/u4ApeYhGBBARAgAGBQJGuXwNAAoJEMNToZJ25W+2
52IAni2jS3152HJklqJuNaH5AcAp712vAJ900+YK76yeMjSkC6pXzQIPD3vHeIhG
BBARAgAGBQJGyEG/AAoJELNRWTiXjTGseW0AoKMx1NIg8v0QVOeJLerufrXyojqC
AJ9bX3re1+sLTyAGuKZtMNlJr2bcZIhGBBARAgAGBQJGyEOpAAoJEF+0x22hWnfu
TksAn3+KEMREtXdpGMAU/3Vslc99IGh1AJ0RgkjBif65Oo+sbpid256jODaNxIhG
BBARAgAGBQJJJhYoAAoJEAoQd4z8f0YhVh0AnRNd7kx3gy54FgDkMS59ogKnpMJf
AJ4jW9kd9CnDewdqQQvgA9qWwyjElYhGBBARAgAGBQJKL5R6AAoJEKgTSad+1XPT
1+oAn0z7hK2tQ3TP3zVMtX1BJNlHqiX2AKCVN4GMJ0GtfUV/Ro9IKITqbJ4OQohG
BBARAgAGBQJLIgzIAAoJELTjE/U2ZxFeSnUAnRbPqh79z2K+Y4CYvlFsSLRw91nK
AJ9BZUWrhuqN8WaU2Vy8KzHCsAi2fohGBBARAgAGBQJLtOjFAAoJEGfzMRpuD7SU
+UcAn2zoN6Mz7jsU74iaIdDGl8g5qVh1AJ9RrXqLxHQFxaoQ7Ho+dXVhlOogTIhG
BBARAgAGBQJMRpL4AAoJEE/BMsN8gQR2QAkAoJ1OvW07kFwhFv1WXEN2VFbd9xL/
AJ98ipsE2CmW49OYax8H9+RBG7VUYohGBBARAgAGBQJMZpp4AAoJEFfAdbIXpfJc
dM0AnjomwQIi4csicV/KXOYyFf5ZEBcxAKCCiKBcE15makROEnHazgLpIwYRBIhG
BBARAgAGBQJNbsEQAAoJEE0sDPzVimehi9kAnAma3cts1K0o7cO92WYjJ1VhUco2
AJ4oNnprsH9kB+REAJROg2tb0kEAMohGBBERAgAGBQJLSCKFAAoJEG09p+pjnF0Q
cwAAoMstTzBlHEm1iKoY5ZmyxmXeU6dpAKC3j0aZFfw8hMov+UsNIeUCBTdaqYhG
BBIRAgAGBQI/bSymAAoJEBj1A4AkwngCAZwAoLYGe6+hh1eT95+T2K6lhfZzV5lG
AJ9s/ytvHef5qt3I66rzLb+Evqwq5ohGBBIRAgAGBQI/bSyzAAoJECH5xbz3apv1
w4gAnRGfACThXTlxxtvEc0d1rPsl9V+EAKCz/8yOT+wlxpaxHgW0qt/XHREaOIhG
BBIRAgAGBQJCcRScAAoJEEsiCRufMca1I9kAniwU0GNZDVXzKslbVu4G1EKEHjWg
AJ4hupCGN5Cnzy6ELhc/cXKzux/MDohGBBIRAgAGBQJDHl/wAAoJEPW0eMZmqaUQ
2PgAnRc4o7Id2njS/f4R1JdOCJGdl17xAJwOcnGAwN6I7HSh4KZ51Ks4GnN8aYhG
BBIRAgAGBQJDVnhBAAoJEGbPHiVU26Rh3ngAnjlURkEL/3EqB0gyMgitGbaSm7us
AKDv1bQ25mYhwv8vwXI1fz5MUKfFTYhGBBMRAgAGBQJA4+GnAAoJEOgkW4kiRO2p
qQYAn0xAuwT0FaBtf2nBST6clBcxGyqmAJ9smzk/bOtKBuTKm6M+eTIeME3I/ohG
BBMRAgAGBQJBhLIpAAoJEL9L0OYEnbh5BpkAnA2rOpPzo3Cn53N15UT/4sGmfWrc
AKDoMHtpmWF192QJAmgRGsiSCUnrsYhGBBMRAgAGBQJBmwt2AAoJEMdeyVAbfju7
hQMAn3MCk6kP3/Gr80VFFEZdt+MMNPN2AJ9SRHkmWrbOHKR885L9nb2eENAVQohG
BBMRAgAGBQJBnWMMAAoJEL6YDgZWajXgkjkAn2dOeURnR4RH6ML4/viKf3F++Zpb
AJ4jqD7ftRCxLa27aV+74VtmnR1DB4hGBBMRAgAGBQJCqJF4AAoJEDIrCnSoXv2X
doIAnRskFgXun20T/BEKwFFIk/tdjaIqAJ0W76fYR68dV9DWhWYhkxlHQzEgvYhG
BBMRAgAGBQJC30tQAAoJEGuSvENlxpT3ZnkAn37o3ziLVtmCoSnzHn24LtQzNYmK
AJ9dXs8VxXJEP0Ka6DqPxML56EoYoohGBBMRAgAGBQJEu+5dAAoJEJki45vXY/+i
Z0cAn2IoDE1U25fF2v7fjvG8qxduHM2+AJ990FV84qxE4fS4g4kR1Ahel+tDr4hM
BBARAgAMBQJDuNMtBQMCCMCAAAoJEHSdKVBj61zIIlMAnR6I3IIh0EzwQHezKKHe
jHhVlcK1AJoCbUgOQ8m5nyHMF0bl0VaBGhMrH4haBBMRAgAaBQI9a6RkBQsHAwIB
AxUCAwMWAgECHgECF4AACgkQFdaIBMps37J/wQCgje4X7iqjNbVDgwpk+98vc+/H
oE4An1usSnfAlNcEcd+05ksTw1gPh+h2iF0EExECAB0CHgECF4AFAkNGu/0GCwkI
BwMCBBUCCAMEFgIDAQAKCRAV1ogEymzfsp7eAJ0dbFbiegRXFnp6X1a8B1eTDNdX
WgCeLmzXUp83gjnUnVrJ3sJUREreKVqIXgQQEQgABgUCTJ9xAgAKCRB/urM2KlaH
OGhXAP0X4sBAkxjxf5AcUrbFvyElsACYou25SILHiBMjVzbL6AD/TQpi3dqC01OP
lmSHD/0kADdJm8qI2QdJ6POqj4RTl0yJARwEEAECAAYFAkM9Z0gACgkQgdpXm5x3
8d1Blgf/VEE+rXnWGqITLcnvhNGWE221fd43dJZwWBfw8lkuPMXyRlI1jdVStON6
DMiCS9+Ex9c4nzyGmkKneqkyuhW04+DgCoKpbflAM9tLpTG2Cz43pLMYfiKTPY9Z
4MIlWT8bzpF9jP2YSOt7RSoJna8hiBr3NCxRsll/SZZ5q/bjO8W/aLHGh3VmQFMO
kdsYy5J7NGdv7oTYAnIzyuc3QLESHD80qaJAjrmR7r7clDPPRXfy4GbBI4ZtuRrk
49SdTfz0OM90pGOBPEaZuP+MRLeitfMnRlHirfCv8TMK+Dlk1yH/eYQdVVfeqK7j
XHOCmYWn9OUCjsnP49iUI2lIUHmng4kBHAQQAQIABgUCRGDOXAAKCRCJsz+f21Oa
7WcoB/4kqfVfFZs+i8IvLmibdDL/sR48/SCjE0KSnWyQna6yHpId4t1kRQtuIJSI
7Z7DHNZlfs8xZHFHYRBiot9nfA8GPxw4RhR7MJMEnrPByqEqmtOUGFrCbYfTkSxd
SGXB+2U7MNilkGEeTxyYQ9Pyd0C2eoLGJ3II/fCs4TSb277C0X7G1YDG3/yycdPq
o5grlvikaIFrnP9UsQd9MYFeCM4KUw5Wb+QkxVtElBChBT3KKlYex5wx4IAV913x
P0DfzkUGlpuh8vlyXWriUxJimjUzV6HCyYr+zt+dIaqSqvgDCsq1eNgNO+N1qinW
8BefBW5UNxU7oW2YOaSKdIcW36WhiQEcBBABAgAGBQJNeUGZAAoJEEjb1pAwnDBe
gPIIAIf0exOxFLlv2buqwnPbAwCQUk9+tV4NumL49fs0++JLZnvWs4TlC/llnkTD
aJkd+BSuO+rInccO431RXsm9a9OpjEFzyF5KhFjJicfnFLa1bJoQxsmcmVxEHU4B
OSvDLnEs3NAkYRwDriGNdTiLI9IoBwfYriLgXAVU/PJ+hYKtka5R+akpXEaM7w8X
d1cweXCwl9FSzMEEul1RzxHK1U+7NMYE8XlfPCh7efkR0Vm/07xyNR/tW0jHf6uq
Ioj2WGzW7mJIq006YzBMTFmIOpPHKDF7qFpGakZjTXx7ljB44A9gQXR+WUnJy35p
Ms/RGXxL3BDxyRNf9PBM5Eqrl9CJARwEEQECAAYFAlI8HXIACgkQRG9u+TkF4/0T
vwf+J+nTvymJJNIk5tOH5m1qCdF85xYej2Ey0W+QJgdomfOJ/qfpZZFXnVSInl6y
XhV24iuFC7VfNh1sHvkI8Mz5pOdUWn3wH8NNL+RD8KHK+YVcwjs/eZg6EtAlUfLm
77p9w4tXdsRfE35zGtmNRRGp/CfXolX0UNyEZoTnqyRVjp91PepkY6yOHeLtAcmj
c7+OUM/f/z2lCe/ZXbRTvx0yuE3YGKsvVyNocucSUI67S3KyVXgDz9Gr2CMehjv8
Xx81NmfY76IVpOLRxxSXG8pahCw6xclWQo2BmG17wrELvEoiNTK9kp4Mi+tArcbE
u3y/9wCnkfTnGeofLxlpZ9I+0YkBHAQSAQIABgUCTox57QAKCRB5eCsGL5NY+7+9
B/4y30T1N8UDAPyy4A9D69bfElvULMNaJNbOVP6FQ6eJWWvir1kCkvqVnh5hCfP9
+sF9sdEd4UvmvgIb9bQcPxmtROVbMhK7CouPDbJ3PcFgIewt8G4z6TfMgAbIbNIA
ySo963RI+Hx4hc7UWruMYG/i7OXcRdoVKK73ROO5zxt4XFtSNcst4ThcWxlaWO8B
QnRWYaJIVjgkp++q5fNPUK4Fq2iKq3h65TGtVjD2jdnu37gdSpu0SVLVHjs7jzK9
qzlrMjub4JH38hWmII8d9LJ39izvYxTSY+9Vb10/rD9NjR/J5o/JYkbtLP3s4lht
CyFpfj+VkzMxk9dr86HShplUiQEcBBIBAgAGBQJO9LVPAAoJEOgBcD7A/5N89iUI
AOg+F4XnFFQvMLYodkUJiwOYjw0I/7Z0hfrNKHIj6wUpQKUD3n/fTFCrX+DihQ2d
jrcUrIza2ZQwoRnTyA6zJWrADGqqPlPCJb5zangYwVAyc7+yH/qJtK2TqdVYSgo3
MjvpOJHrQLqlVpUl9nXg75XuCU9BjlMDL+i5BRDOy1TcHQUUbhhPmTmpdeQpxnWY
tuCF2L5IAm8DOH6zkeHNATR7yr+/z3/s97+H0SfxfdocSHUAtpAbeb/HfYzQg15H
SwpLnFg+otJVDaeMiT79jd2G3Jy9MZD0HkuFSiKJzDGA7zr/cO9g/R175WRqFyHS
4zhI4uuVgbZmERpWZ2yETsSJASIEEAECAAwFAkL+Q7QFAwASdQAACgkQlxC4m8pX
rXyxwwgAvjFEl/lyPAFPXTNzHbjGsp3iPo0DxSSHlqCgHA/zcP0veRCsWyDmJmpN
tFnmoCiT23aNtTe/iHhibLcQ8hPbR9oZOiLU/J1A5wvdmK5NqCocbzDPI1u8h72l
YIyvUWvpWGv8e6xnuQQvtX1uxUXK/DPDlHB76TrqVjKVT2CUQ+8vNtgovRE+PHB6
hCEVrtnzoEWGWopruWKBXmdAlqna9os6AWDcK9+KA02KJnALX2XBwPzHU3a3xLJb
aVfqfsIeiGwMQXdaXBHAozM/4exdh9srGmGkHqoA1OmYf7etUe3wwykLCvmhcfBV
dPYu8LYaNUhBvYrCgXqt7ZYrrarvaIkBIgQQAQIADAUCQw98LAUDABJ1AAAKCRCX
ELibyletfEGvB/9/yJIqGF1PrMXhIs7jAhBF5KEqvmvQxnGKQabfYSKciXwewiR9
aSrSrXqGn1lt4ABsc3wqgiFKZBCRfAl/3QrQj46n3gTaiO5FBz5MBJ1VpYUL01+D
JILKfwWT9BbQs9cZuVrLawbId4vBmXvG5EN6bUhVPTgpHRYx1V60v7bjs86c2/du
ExM69o+gL7oXXRgdBhYmkbTewV7uERCvvgrXLUgUN3vuJj1JxBFksFSzGLZ/9ABQ
gBpSbHJlwrX8cXRPvOqu0YoeLuS6Cn7iq/xxLkdSxyZAhsYPUqrteGKLfs4ixzV5
9M1Xu82eNGaWDfCSYHPy6Pdu/ZEkLKBtpqi/iQEiBBABAgAMBQJDEMykBQMAEnUA
AAoJEJcQuJvKV618m8UIAJnp1WA2XMJ5mZ9rNGKCTow4Zs+Fn+8PSWjD+DWxCIUD
AcMqZaUGIv+TJ2YwZ8YqteCAzV7dvr6yjQpNn4XLTcxyQAqFGR39QvyVC4D6u4rW
v+NKgRk2o2J0BooudbEGRk2gwsjzo09OZfaCwtiOgPw9a6Sy4rPjd+fjZYx4EWT4
6u30sUsXiv0gIrUjzd4WPVeLn0j5QPnnDKa199Ekpj0XP5O7YQZUy2Rbh8sCJQQc
z+ewzziodRUsV8cHb3re2wpGHImJCXvMrXZJ6r4aipB60h7SlN0zHW2m9NrNOiHa
by8shlZe1lStADhOQ5BNMy5xvjVn3cNTmUJWxmd4nRSJASIEEAECAAwFAkMSyAsF
AwASdQAACgkQlxC4m8pXrXwPQggAsN8MgCCA2p7+KLETSIsAxOJMi8Sit1+QftkP
f7uuay6BeCyljwuLazl5KiLMjiIx0NWZn9hKYnETvaJAcEFk6VM/4KKc3Q8r/WIX
bqeCqZySRSNYIKXpQcUw7+f++coEiiXK+nHJykWp0z7PmjIVOEiUMwjP/hkE+YYt
/XMOl9p3mIHfQc2zxGm+Te4N7PhBX7QqMMTLJjXB40ajssQDdndbov85ZgTxlOv8
+rygAOfjGX49X3PO5QexTp8dcQUUn1qXVbMe7m5YSBtIVRbi3uTLc0RTWCFyUwdN
GAiwdwKnRrjnQhSN8fmMJ7YMgLeNqICs4pc5pJszdsQbsh3m0YkBIgQQAQIADAUC
QxNwkwUDABJ1AAAKCRCXELibyletfIYLCADIJqYvAp33q9UJzKrhXheAVDlZaNs+
z1XGUUSY+GJJUZ4jlf7UzLdUD3mUzfOSmkkQGzkM8jTz2GzX7LX5EZ9vLGWJXCFa
RauLApB4SW55SELqe2JrUhDJ1GAxmCTOWsjGdVatiiT2tR67z6tnjpcF0neaJiMz
VCXlM9dC/f4odPM71w4e62nSRvDvVKoFVwqKp0Ihwa2PXZBH8+M8V5a/kFt/Jqt2
ooSDM/WVY+ttqbnivh8o4Qvdw4FF9vyJr+buehyW1PZzf7SCG+q+3CKntDo30FAU
nmLU8eZ30rbqPqL7QfwpYRqW5Dc1vUFMAYbrGrcrwbcePHTqhgQ6rs3kiQEiBBAB
AgAMBQJDFBmlBQMAEnUAAAoJEJcQuJvKV618fUQH/3ueYtS/qV6sDgdjLaCTMfNN
dEPFTOTmTMlM8HMb78bYMhtt7KhFQ3z0qbvAZCvawM92fXmUbxCj1rgX1FINPeIx
Gg5FVz1TQjBT3WBLnVvVQgyq+PbBypnrrY2KzcVSg2MG8SRm29PXzZ3Z32IjzW85
f6GkWjq4V+5a9TVI9QUbj14KpcqbVaLXk4HxAQcXtzhUhyxpNs3Z1PlfxPaosZa/
02f7ys9vSMqPZeTionI08p+AkKYjYRrywW2KkGsu7vu0ASWNIf9Bc2qX5SUyv/I2
+CASIiSs9Y6OIECRDWopphEfjWAVmAGOvVFR6xNnKrOXPITipK5TSyQveEjhjYqJ
ASIEEAECAAwFAkMWE5EFAwASdQAACgkQlxC4m8pXrXyAXggAi7kl+4WYEZZex2Hi
t8Q7xpZnkXe9bpRZD7b6Ms50qv5XkCWz2YVKi+IXECFNI3EqvMYq1J8cG3iN2eBz
weXR00WFMnVwDLgY0ijdDKsiuFlaoPXHCR1ql7LKavcHHZYiX5PwHo4EFgNT4adR
eK3tLJtO1h9Fsu+377VzwRWhgFXf0+MxHpr+gkpgSLyxt2zIAYKm5Ekl/OJm6UIM
Qre6yEyYQ5r768s6UsseJoQvxVjuYp7ZJCGFTcRuAp04QFzgRAg47J/GR+CPbwTv
iy0PcnGD1Ag7ZN0t5QC4/gF1kD2GEVDGVOj0RYzuHg1E7pElFgHRYze0a3XeYzrZ
CIEWOIkBIgQQAQIADAUCQxdlmgUDABJ1AAAKCRCXELibyletfHejB/9mY9hrnyeJ
6EPkJumm96b/xCdojboUJmz59aX49DhOaqBLd7lZ4XkyxFxM+n3siJOxjXVc+5hv
AEE4F0laVlVqHiL2wLkGS/tOWlmkQ5DiSQPyhjZuS5JMuBPR8Qza1IIpjEb/hW2T
HongeH0rdICj3ksTgB6ppL7D73BxocO0kHdzqnPVH+kpc68oRsC4OeNKom1Sg2R2
rgeeyTA8HMvgJGpjo3zH3InYonNqkpQG0VXdpAIg/H8KeU/G6nX7dHvMzxOrG4dj
Bik43iOUpnPUeRN8EpZjUMHkTFZ9OTvxUS5/MVAbs9++IHDm9PNX/r1FLxI7ry7D
9XTzaONXx6esiQEiBBABAgAMBQJDGLZNBQMAEnUAAAoJEJcQuJvKV618klIH/RYe
XwfWfXmDk9hwEhl7mx3Tp37MpBFHVg+xAMbJp9RLzr+pMS7bpjq3b0WWbXVwjuIS
UV7lnHwKrBDM3WtNhIWkQbSRhi+B3a6Ky4Hpug6gSvrHce3sOHNYCyNatL1Dgm6i
3lv7xs3NzlmSDNuftEU3Gp6Jv5X5vASjnSL9Y/E4xN3gfot/ltDW+H6SAdFde3z7
IAxXvl7wjxot3M1WNTLqmtLN2MRFsukyX6xVKVboNSMbY48lfcehDwv6uJXkwnO+
aK0fJ75fXRrHonBf1hiiFmer5Oi7WhwGPxlEjmxzKLlyUWmqp3uExuzRDbeXPgbB
IJ1Y3GR4kzY1zt8DLgKJASIEEAECAAwFAkMZX5AFAwASdQAACgkQlxC4m8pXrXxH
Gwf+NSKiOGVC0jpp3IjY5+pZWkCG8qvB34dQga2YxRcvOA0op4pKbIXXsrYmWveX
q7+iK5TSCS7iQyBlLendaNZ7y8dGSS0rxlMKvWePVKmZBXY9uYmJdDEeDcMfj519
wVd8pPmu4Snpc0opaj2gu3n4Dr4tatdvA3sB4AiCiXocDcEub7EsunQab4I0Qvin
j8ApouRMJSTC9Udytow7beh1p7t7SfyoLdlsI/1a4T3TE58jPk3eir/DEAmh88Xy
hXtRq7GBTx48wSa3lGRXfWPJW1ODYS4FViNyhRnZ8q3wkPEJxaHs58MkQqOwxGdP
B/p14HW3T+IV59ACStlXLdfg5IkBIgQQAQIADAUCQxtZCQUDABJ1AAAKCRCXELib
yletfE3PB/9TfKN/QBfAOAmeC1S9Wn6o0YB0WL0i16gtkrxavhvUCkWp29BOuCoe
d8wh2ir6mg9KQ0i/QGTS028slOeO8IVX113aElUN7UsFgP6Oqx/aKtdCO+8ZppGv
6G2QbvebgzPeHKO+UJ5tboA47c2NB+E6Zx4X5dGXQoL1KXSxcUHral9yB13+YBQc
nMZWll+Lb2J4d5L2xG80/qZECxKspsSfTXtUdwYpQ0EN94DiWOt3YIVk+Fxv8328
81RJFMvuR2jY/C8+Finw1BYkVloaXqpyBF4HclJQ+q6xRckv6CaR3pRAqfbSECCS
ZmGpSHKDztTK8wWhnsi8GGb18U321arQiQEiBBABAgAMBQJDG1kJBQMAEnUAAAoJ
EJcQuJvKV618Tc8H/1N8o39AF8A4CZ4LVL1afqjRgHRYvSLXqC2SvFq+G9QKRanb
0E64Kh7/////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////
//////////////////////////////////////+JAZwEEAECAAYFAlF1oN0ACgkQ
jw7rxHtHFsmrwgv/aVGvQnxFX1BGQse85UTZig5GvslhktVGRcdBb86YKzsLxFRE
Pc8IOqItTSxBtvSTQEyQuYXMZfP1+iw1uQm+OyqP0cEipeo/fCcUXDjndMslHb2O
5jE1kqOGh3SvvQzUtS8Y6O/iKiR6urQFJYXGF4gkyvBRw9MyIf60HnSxM8QX8AMh
C3JOoDrTIhFLq8WFkrdPU37zvJet/k80+uFXL7vToO8AIvzynRKzuQLRn0DlFUDA
hWvvy+lXsquL9sGzyE9oOQDcBmkSArNpJ5zFi9g8p/45dvjHWcqNYNe35zq+7QG1
ctN7kjPvJNWFuFE0PwwQ/LCNwg2XYoOUDDnNQXhcZAa/eD5bUmJtD71AYIx0SlmM
X8xoCh83SD6qK/eML6gKSOMc2Kxoq7BEHG230/sjSqUrWHW31ikcPTxB1q8aSW1X
pSNpBcpVNYeJfCImEi/FH+pUY3ueIEt1B2NzuUTmopg7kYqQfEnOFYnNjdV1G4D3
VwwDdWhVVET7x8ltiQGcBBABAgAGBQJRdaDiAAoJEBrKdusyNTqzoLcMAJsY/oTM
zdqj6rAd0rLulQ8ZrTb5VFGS6bhFrv98h8mn/nJ7nM368A7F0GoxjAHTgvXndgxl
7+xuxCCBdcxT0/oFGwU7T1chvZ/MEa6ErXLsJb2jXpI/tXMSuwkhX4Tkza063v+D
yfjDDgIgoblUUSQzJsfrnAGniq1kXl7EdlMTjIRUHKfXLnOqdvWq2cloP0W7RzXC
YMC03w7nOUSbz4PBHHGPareNPz//wEAUeCIt4GcqPNh8n+zRrylklVebO4HMaVuf
r/6F66Q56En8DvyVw4NtGvuo5bZjhmrM6muAvVqHc8qnAb6fhM7VmT57smWRUTDF
2wJeOr6JyAz6A6rRwKI2WUrSgHjBENDJnPJmTeX3O3XTDcN4Y8JeswjsMDBkr5io
qEdwykEEudMstGVV3negPYRQtOiZVPiHSRnrrnKGLHDKtwiwwAl9NmGCFpHqwGNW
+hse1Ze2hFVqlU/EO61TQO/dqwQTmfx4QanKxAIkFxWRFpkbDGiUnzDsCYkCHAQQ
AQIABgUCTDQ2jgAKCRDn+Npl/acoMW3ZD/9YJQejYaKOHz1YAH+jV/BQY+b1X100
ERsA6RzvuAT8Bh5RB0yHlt1cVAjJQlEnEzJuTSwT2EKbDb6MBHtdLjl89PkbvdHF
wVE18h2k2bQWQUHprDQKPjhACA9+ZXdYhVrj4d/W+zsWaFSEs/s1pSf1l1lEDutG
UQD/bmBiIaM10YlKp8YhRBCGPduH5/4p5NY/oF/gfZWDx7/Fy5SYlQc6OpJIx0/7
2V0dNC/ScnaJUHXhLR1D88ste3l0o6fLycUBqfVS2eztvzslXXxNYInhUMuH0SYX
zjJCyjrNxUCrh0g+Npsa9zqmULrPFwtNy/p/7wFww5v5DPAEdzCEw2x19/zWTw3/
EYum6Mv/dL5uvVx1Sm9hIknSmvSgpH5EdBWiJHDjBTD7bkQ4JlGUlzgjqXIFTemc
8VgzL4D/yik+/rlKgh+UHL/CVXcbjr9zsGFb4auZ02koxyWJUUyl+ScDzLd3cq3v
ZDZZTMBep0p+EXJrmxDAgknUe1H+PKRHb16319TaH1+V9JThr1+BAcFqTLJVgb9t
jiDChXxWe0/pTO3LnGp0GLZqP8KPabwI3wFtYYQKBdJBmMfQe0nMOuzg8aREC7qj
uwTncXH4Eqe1I2xtZgfUDx9cWWqLnBktm9b7OVXJ8+7lI4q2PGmDjHgGUpAAjRKp
KphxXsQJwRNYHIkCHAQQAQIABgUCTDz4zAAKCRB0m//TuofodBMTD/9Eh7Sjxn9Y
Z4vwXwcIpEAdJeCrwstNXQFb2MHJere3Ee4sjGQRV+Y8Y8f6axqFVxrpksvcNMuH
ysTo42E7etUWa9I3ZBRbHdzbbKzukUT0Gn9pHSmmAKtmjfZPsIYDQtOeRfjLUgEl
QfGTnexZ66BPqPbORVOGqw7MAniMz3nTtSOkfwJ6TPqBZFx4p+U5spWgw1jdzxwy
bWjAwDC2jronE+ssH3xQc5lb06y6PKYU5bv1D1eMh54yNsC2/R0mCszAB4TuuS5E
314ZuTJwyLgdnZrYqFg5k/lhl90gbJyTa1tADg/HgtkUwiag2gQbB3BmFfxlWwLO
ZkUzEvTIVSv7YqLb0XfYJJfOJHCiE3IyeZvtkX6p9qTH9DgvEgSxLC3dpAWtQYxP
p4KhQMpLoE7EIARRH4dtAr7+y6t4fR54mPJRDmbndErO3+v5YjQvQSPxt+lwDBvm
0pERrWpv7znL4TEZ/e8WA1JDDk9ym5TE1S/QGet8J/psWOgfIXDBGZfMzIgWNzkn
7esnUqG9Y0InWTf+Xtbkg4hPZJGuirI9Ofuzs4IBxuBZVx8tng13fvkIjonNLQxU
lGvCThSAz4KngQvy2nkoeeMa0QPADyFMCSZpL6yWakvY1QcaJkodlv0eP39yca4J
RwIJTGC0aPXlmcrOczj7eNa9zwdvccMY14kCHAQQAQIABgUCTtVixgAKCRBZeIn2
zl348lzrEAChOE/xwQN/deypoRF9+hIF/PAiijRctv0SZ7sqEZnKCSApVOE0i4LJ
X9g0EOC2kxh0D1YBPBdojXMl1uFDRmHQKJX+s+eEGLVWcO1gQVQKxARLtaigdFxv
TqEl+NjDHXOdxY6nksurxvJAgMUk++U+4Taz8qRdjp8YW4nYBAfiAdjTFLl4ub5A
0l/PgK2KsYyxV4e9eVF6HsTPUyZF7sVMOxFxf3j3niRiadLAnzGRF3RkZndhOuEU
+P0qOiZQHSzE29Iu8Eze1PBYpbC6a1T1YNpPKGlPIn5ZbCi0i6o5ZAuyc85qyxBT
yuoYrvixOD5yE2y5edMo4CBd427+V7fX27UU4vH2Vv9Cp1F2YkCZagXpQPYDCE7R
Bi1wmeTx165YOtiic0ScuFaBEa9Tr4VkI5xv04KvEZVyYL//NubNU0ul7Xhrghvz
27s9aZQIFWVjlIm5iGPTFm9I5evqo0LsFvDmxIUk3qooNv5adrN17PAmFLVyQQew
sjrZSN9T6MjP0IpvoomVGtCE6IqzNLqc1pimt871BNHF2p3zHQxx2KfV0lPGz67m
lEKYafCNqJTF+hE9GNyr78++rQnJUK27Ig3RVM9IpQp8QOhRloiQsGQtD//CvSWs
h54c36K15Yl9g5fQ8HUYkbcetiub3uBr0mMdVa7wgYfF1/VZB8bPJYkCHAQQAQIA
BgUCT5TSEQAKCRCjOKb8j8gZbNT+EACmzXhlgI33H0I0PzbSviO4yM0Sa1STzTK0
M1lm51g3Uc43vstS0ruQKZjpLXf1SUhQVyV3QIalx/cQsqxBXonTLfGvEr5EOerz
xrGNRzSNRyV8KNpZ0yoYjvxHGjbYDAEM5HkdBOt0eSJM6Mn5f5W1MwB93YDCg4RE
0ElyvKEezsuhY5tl4nF9X2GeciJBRrd9tE4MdJaj/nj0xcDx4NXNEFF5XMdh10DI
S1ZDVTCFs75coEedoW4GtZAQg6WkKX4yqJ8Vk80tJd4h6IYNYXmATXcuPJ40F28p
WphBbSJmwwLSJO+N8zYTHpbrN0+PmC1WsflMmpy01hp2/+6WFpDgaWToYptZwvau
Apoh3Lo9BMb5+cZd+knogDLB9RGMy9AV9Lt987dKlXexHfwUbfRZzdXuH/vJLwbv
ziYvTXO3N1PXSNE7AQ787KVc8dIPx00RVJf52Es6QuhOFl2Eb2L7sgHDbDpyhwoq
feFKdkH6kWVg90t+uKVuGALTvI0q8xxVnljvD2L2vqZMrmdGzqiylnOPyYXWzYDr
jBJXGaI2bR9mTEE2TWb60ptlKBOpWHLJC0ta+AiHItaDJUs77LPHmozT3UxS6Xtr
Wl40owVS2BdnveYtbS6ShKWYfiwSFqvGxMO6zTiMMLSJqHlM+yVuFVUsF64sICEh
rBZr9ofWZYkCHAQQAQIABgUCURQ6HQAKCRD2xo8/nF8DuUr9D/9r0Mpt+5SV9h+t
l8sYHQQev6odjAQ2u5wG5G7p/2nXFYs3dRpO09up0foqdOPqLYPhe1PaIyp4KFu4
R13yeVbh4iq6hjrOO5ftADj3bBWQTGKlUCaeKXi1TRouoejgO55KBABcVY6PORru
Kz7LQ03ADZFwUkzrG/31yxT/LEU0uHljpmvEmp0OEIIMEjIxUiUF5hOoMhnH+hMH
ENliPGlJJ6H/bvqPvKhyFIusleRktHMEKfNvY8QO4dAcziIcOSo/Mbu9HGBoE+WD
8GDcJE3DdqYOY0uZpghr+V0yvejt0vej5KhbRLO2Cgyora9FO7KUyhcGjMvK3Ti7
3Fe43lr/B1C7ahUmdPBrXKKJMnlVWUC2+8fXvjVQm37/v3JzjAN7lky8041JVNHR
k9Ve1rgTBq4X6bYkHNzCXwb1o06Y4bQr8UiRFLrwue1yUzYp7xTQ4vpsaqkqVVTK
YpKoeURH2qbZ93GJDJV/Pkmn1+VH0TNGzLE/KRtIZy9536YvmZovxF9jVs4kVNIW
0Q17D5mqH64nlRDJgCpOPuTW2jSg0JNzidIY6zvf70BmjiaityHIAtPH8LFyQ2/g
SyzHZ4UJENEw5mMkZG3j7fXN0Pt/NhlQ/mhl7ZbCtQIBnA/3d1fVxBWHuojFqgyZ
IAgIxvlUSwtTEq+KTJlIwuj8N+QrMYkCHAQQAQIABgUCUV2QewAKCRC7m0cb+U6H
svcwD/9LEjuSGv4vfTU8pKOcIzrwKScq6xTgJ9wAyNZ+rC0PJjHHEhLw8j27qZAv
32uohHt3T0F7n/iRKHsCszTKUkYLWmUVBVaOl3y6HufZE7sMDJuidiPhSi11tOgM
t9ekySI1uNBfnLLR1rOUMbxjoG1NbdJIYjUPHCpArlKp6zd0lW+TQdgEQhsWxuM7
Pw3F79s1SVf7twjdj4NbWfnw2ByHX9HGuDytKuoEm/OgjHDapUpD4Ctc8K7l8WCa
ve4YkikxebC6K3C9NAyRmMup1wC1PRpzLD7UNkFXxo+Zt0bETuac6g8UCSR2vs7W
aw8ZiARcLaml3uJvadLP76TkvM86y7zdPWoxPySDtaXtAfEdsBwkmoSma7qK4c1R
IHUGj77TNDsJp4rJW54bFuWMcyY1KYfp5ofqmvXx7nU/7+SG1g/T/e4foBbEsTQ2
nUTMGeEQokHpsDc15a4fTNHL+Yn2ngeO8k1/AtRp6MWPQvVDGWYUO4HFYnihDmMc
6c5H/aKtGepdIqd7vct8Nfdn7ABgNyb5o7znQ02PsClf6G1pQP3erJ1ryywSwKKF
QiIwIL+n/SpAwGO8BfcOeVM3tkLTtnZdvvzaA+VS7407J7AKiyxOFyKdg2NN6woX
dY5YASI4EN9z3TvmEOLtqmCVzUCIN7fL6a50cCdicIeohqej0YkCHAQRAQIABgUC
Ujx7ZwAKCRAnffdJdtkFnwGBEACYxYy1VjQKp6cc5CQQgWju6xTacJjJYMc3nZkq
X8OSuBby+bXLAAaCp+6lhckdtmdOCsw33b7D5/S+GbXoeakxonhN0nNy+zKRz3tl
lNwtNtKgWcM0pJOSH3+X3fPcvQSXY+SMUOtCcBFgg1Xo8dWwIof+M+ZoBghiwZ6O
T2QDoTUUPL6chV1/6FqNK6SoIuIafWTqFOT3mFBhXEd3felA3njkMnsgpGS7XG4i
A+nLB9PmKdkPvz/QBH/zMitJr/JgRGHQCiynh36PkQ8bmZN2fBoviuTxJgTA4jT3
YYAaLQDJjyadl9680TYXs7QX81ZObV5pw9L15qt0locm+eYRpbjJyTreWzrHsglT
MvqOF5RgH1xDX2D3dPLFgZcrHU0uMhqzsHbI/DzTrI9rlkJ6jfbiSTEmn16GThuo
ONVUJ1M3KayFgmkPgYH6OKngwYVynhUSY5YN54MEowuITq7eXfh7Vu9ZhWDeY4yO
pTw/4qdbrZ7AlpaiN74SXvfvm42oyZG4XhLOD7Vnt8zSYvOiHzUx8ci/B88TiX9P
C35OPOi+zxh8Sl4V3o4CqwcQg9SSm040p/CcMJIkan8Ql8UUH/2TiYjXc/89Oi7M
8mH3AW3eSelP1y1zjm9RLdBMsPYUZ1LRTFSsyL8vswwei0554YMWSZCv4ANdm4V0
SYixoIkCHAQTAQIABgUCQZpZ5wAKCRCQnUi5NkQ5u21zEACvJPiTSJhdmKhYmC5O
BoZJwT3kxYhWB4Lr2wsmH9qI/DrnRaCKYVYu39mFWR7i+dQrQT4I0a2HpxRKZRrR
pVlEh0nPHUkgslUyUN4W5XiPW3IsBfBNIsWsDf0ROAHjzuBtThYHDxTyYd/EYwQs
4i2sNVkMbu9BV7s/HElQmlIFSCu51YWbOuq53/19Ma7HMJW4CiX223pWX38n5mhV
e3+mNTO+jSgASNRuDq3pXyuu9gOeUBptlCCfkM63W740kbzlwz/9dYHasV1BX/61
ZWwGGylSrWQaNwMnBCxIfERqfXrsvWd1Y8wmlmGJn8ZUhnpspYbnJkSlV8rKx7+c
JopdZkTv5bzVKGAD6/0nge3iOKzwXY7YdyoboA5HJDNk6vY+HSLYwzHeM1BA/VnJ
JoDlI3XsRDvHbTUcYwp4RGnIsZWNwyQbWEcsDqshkSUM8p8ODkOzmetEBILIDUPb
l0UaUF4gbRUc3Rh+3UiB+MdQiqaPoBx5sKVeUd4SQc958a+z7vx/HrSxP9R9Qpm9
UYZwrIa03CrZMaKEfqInOs74GiA4qkADgw9b8uGXgvpgWMTz5AGSLZqN6B290NDq
GOnhOIZl21UOHrCwEu/qdw+3NqUBfkcLrHqLU9dZ6rHxR4TwwrZ4/nkaA3hS0quO
d66/IDnomgSWtY0vU/AdmZCut4kCHAQTAQoABgUCUaVYaAAKCRAIh22TLlSrLFiw
EAC6UdDRPB/VJnX6Wkg0FB8Y077cQFwnB9gw5jBKP/1kV2nNSQFZJthuKfa8R30l
5pwUBChblOad6aW5cyV43P0n24B5FE9anRpjqX5I6eB04IW/km0Dfg5d5z0PRsSV
EExwLQyxvJJx3gQKvhjzuygWzEfsGSc11+Qie+GEdLr3oNA5EQZ87Jz2En3d8UtQ
Q4zoJfOHaRtjuWMnzp4dxRB0cK2CsZLSsA2/aCygkVkO6wxkchBQLm/m6/cVDqUu
kWpDtZKYxeKcYl+ypwwY1taSoH9XpX/w4zVlkHblesOvfrBtgj6/51YaRhyNOAAf
ijYIyG7n4uNWRrgPNfXbo02NscRg1f2ey9BffZxAzi2lrzyuU536p93wn9wLpUOJ
R06FQyG4DVUEi10iy+jsSwDweqiNJGY0euG14P3770HtdRGmxJkikJRS2evIzzve
/34q/M5cIHOHYzcVX1+207sqH6EGGjypAeHS44CMonXsyV5CK5habTkbxz+X5G03
JKmJEu0yA7udQBPLsmOcQ3yD7BCh28GU0+LNIIuqIa1+Hl/NDkLnvs+u7HsQuqyK
F3M1W4iNre0JANuEN3uU5SOXDKY+sqjrFd8C6ADgR1Mm0nB0LBbudVjrJtF7OYKo
erY/DhCI2t776MPsEY/zIPJQ7QkVXg9i+BQnduEGNB3w8IkCSAQQAQIAMgUCRVcc
NSsaaHR0cDovL3d3dy5wYWVwcy5jeC9ncGcvc2lnbmluZy1wb2xpY3kuYXNjAAoJ
ECZJ5ijF000FvsAQAI16T+yMp+Wif0qllqKzzRrmEvSJi0v4Yj/WEj7fMDj2OHlD
3FPUMm+rZ2pkC+U3ULbUx/qtsRBGHLI5ZUUuw3/wYbMF7L0wSfBcyiqoMu4PF8dS
3E0QS5Y8XpPkPB44daZksCLj8nsMO6cSnGJt70hD6tXYJ8L6Wn6pEeYQ7RvQVA3H
1W37/SwBR+fO8iYUNOhDBxWZI4PfQoDN6uHNvAGm+GOUL6xyMOs2urJQf3TNF0Ct
U486BDp79/XvUXLLqb1NUh0ynHYk4aCXytPBnYYo1QBlStl+u79r45WS1pjmO7fN
vdG8R807jGaUz4Wrv+PC8SPT/W+W3E2FprwOCiYo39FJLy+fd3wrA1hN2zjuiT6k
fS+Mqq8fiolUXC/GpOtDR9d0XC6h5ZjNb9vpYyScAmfFalrpw/y8h+d4tP9+LvmW
a0QMlH04xOq+o+L2jeEpu8aq+9TGRQx5MikojocyNj6Gn1vsBFlRxrHS9Zv4984V
KZaSQbFWYJAL9IxTYiVJxgrZ2g4JO6FINSQLTXLrtS8+m8qjIXUD0QZqUB/JYghp
DtRl4y1GkFg6COqPOEviWbCd/26EFtgKzZWt2x0ZfW/EZOTqGrB46RCol8igwEFO
BAaTaASTiNVyxWweHlAh+Uw+tHyLAZMn9sRrZ9j8jQQxT4Y2R44CRGidk74WiQIc
BBABCAAGBQJSTYTDAAoJECC3DeE/HR5PJWAP/jkgCkQspG7iIpEt525V8W5ikBP2
hlEtDpGqyAvT3HcCuxT01PwrtepaEvyOdtX5TY8h03T8vUesFSMXywNiwt5sTVVs
JJ4jqSRnPjVxdYpf+vk40qZuAs/JHykefrtHpBoIBshKniV2mmNZcbRMZaFvfIRE
7TbQjid+c2dZ/v0Nyy1fD1aRQh4+QgE83Tx3oSGduyiPe6uqenM0+w5duy/xpiKL
d+8JXZDxiRZ77Nr6CCNLlDJc9apNsrFpJCt6/5kw/Q+HIOBQOhc5XS5qkmhkkQGc
JELIr4WpJBGFafBS36/OdbOBUiCDtUL7Fmr7axxMdnKRQCUQV+YqiUaFZnq8tSxZ
0DEMYkQuDZ2Tkyd96QlmmMD9TKUJWpRl6AtiO0bXtK6p3Y1ntQSPE+t0tcOtV3zD
Bxkw8uCKU1iR47OkeIsiBGiSS2GebSS6sFPEC16N3VBgaR2Vn9nM92B1YPhGIkyV
bsJAIwV4T9eH5kerTCgkpaSvTcr2m7MdfIneKk4pLp3lH0rlhL2v2Rr0XbYVRF0Y
LKsZTCZVWl/kamAAQDcwQdW++8n49AWqsOdutpz5rJ5I0CMQAeDb+5e+ofA7Hm9Q
MmHKV2sN+S/DfYkqOvwRUVRmCCK8s20J1CoWEQZR+efi9D1M7OfjyjX9kSn/Nbd2
rttCRoVu6BFJqAfauQINBD1rpGkQCADyZeINQyOAsPXyOkPR5OOj8LaYIs+Iw3vm
KndG0lKD+JBQ+w+jzuHIC6js+tfZTLMylbDtTw815tadrUiT4yGrpJ6ieKW1FhIS
Ae/gpCtAfIp1W82N8w14dVPBDVKyAa8w5Bvdk1iEKkyLaNMt9YFVvkvB1DKgbyqL
ZpwYE6vCPgVsyPuCxqDJzg+e2cMHSiOlY59DSesAr0UcDYwVnxK0p5b/CaxXKCLA
Yk1EJIK7v5SWHOseItOwauS8+EfroNDbOfx9HK8AabdLyu2BB5gBhVIjSmbslAUl
s24mMYRGHnOryse9gCG56xsRWvL6Y7Jtfnzn8lUCXc6cZ69nXtqjAAMFB/9IUrUP
dUVEqdysECd1NBoJ1DtIcEZGRCbONC1pKcG5QGVt+iFAbXjZkHeykw2j3DR9jwRe
cHLtgIOvg7SKf8w1958ifZ2sPmq8yh3+b8qxiwBGqqyKJ65v9vb9U8pRYxqRXpjh
/SZyhxieqPeWUoLZeyWF0Q/70nxjc55zHqCZ65bLxAnMWLrTTvqhRm1aYLznrnzK
4VoPcnv2zTBrSTqjvxa2Zd5Eev02kyPN5WyuR7EqlEN81IyCMFDiisUYJQUMsuq6
g6eMwVdfFfZHa299ENt6lFh5l9uOJ0E2U5P1evVfbVtxsdYRJAuZFm87QS1gRxGG
ntG3oCE/8vveBHgtiEwEGBEKAAwFAlJFMokFCRVXthcACgkQFdaIBMps37IyOwCe
IAXR+JM4sHsiOw4tfniC2LAhmvAAoJ1w1Osdp1sKIp47wyBJOmQPuOtcmQINBFJB
jOYBEADuKnefrbTVFTZf9mITVx1lFAqwDHPRHZeWBr2Vq1B/Y1eKKsenBKbK/O/C
XaLuGFRn/6Ptvi9eLuWnho88qzaPU1Aa7BFRRiZlN+WrTmaDwdONJnJQp1LTPjqH
mLVAkD7mFZe/H8Glxot62zEqY7LrEs+ZuxQ8oI51YKjhGaACvkrFMinO09+TDey1
fupVH1+yskVKQZo1zp//Hl/IrPbZKfGCxIGePQowZF7YLvl8DKPo4jI5KO4tZ1kO
PcPL2CqwhuCDy0fpUhrQZBswp6tsGx5mRJxDxfgePRBYDK4tMK+BSVsRputIKOZ4
zoBf12hYFiJ8Yd7e9cqxTiPa7AhxPbAjppiH7qJ3NJKCXOOp9DcSvrfbymu9cbDI
PNwh/LQ1wt3T+U8QkD6a1a2kJL5+mdg03Ny+8Ej8hUyuJOEx+sxLs+JX4TS1KRre
LzxN7Ak21dNMr8361lB+Uprgi9lOBNLO31TWPABtJhIzwBOhohSqstB9w6I2ZsPp
LqUp/p9BrWlw6+UfOqNDFILZ0CqL1CyFIyrkjutXrUshqniSc/u1VbTURlIcufZh
N3FtW1P6ktUq5ss4dqEh/QZfR1WxBYRMbKXXAN61XO8M2t44I+44DHi7jOs1q6jr
bfAli1ZGYam/5wjOJkvQ3xemP6SaDKnCKOnPHC45EAt2SEVGywARAQABtDdGcmVl
QlNEIFNlY3VyaXR5IE9mZmljZXIgPHNlY3VyaXR5LW9mZmljZXJARnJlZUJTRC5v
cmc+iQI9BBMBCgAnBQJSQYzmAhsDBQkIB+1BBQsJCAcDBRUKCQgLBRYCAwEAAh4B
AheAAAoJEO1n7NZdz2rnKEkQAJWJ2ctNY7vg2pqrabavfRZ4UOWrLi4AgOMnKrsm
4ozZ1mc7NVMRj0Ve8jLLHrySW5QaSmp8TcaI6twxKD8FfTOFYjBU35DUliyRlcbZ
msBk7aG561TPwaK0XnF47RyPZWKbHrO7WgiDveGx52AmBdm2VRyMBwnue3b5RlKn
NVMMSm4RLmrolkL0SAZNAWZGG4FqFtaxPRZo7LR9fEv/NydQN91b2cR8SnLc2F2y
iVc5mq/1f/t8dMBEbNx2+NoFaqP1O+1JeGYgmA/vE9fk1oDnn1pHej8OhoJJ9SsQ
EuaITvzKP9bU+5/o/UqYzAX+y8QbTthjhzpkRwjqwjuMVmp6/f/o8ivlnzD5K1lQ
OP/OJAki63h5LDUC/JHYkT/XN/bbgoSNveFSGV7cdocdSpCoBaZUJ9pfzZpqRxyp
RB57f7bKBCI36E42KJKJ3wo873MJeElAeo31tXi2pBvTN/Idmrl6sDCNPWwgsIOm
u4Xd2FG5lanbTsXHKebCDPh/KK51mWra5judWWFVxChsNSwRHJACBXVa2fPsahfz
4GAEVp0/VbC114m8CHrgm3nh/ZAyNjgJQN5jJ37gQjx2LFsAhW5WKK8U0Es5YXff
jLEiNOnmJ+q8IZj6Mj5lWXkbCvrqjfNTOKnzzZGws+6y4gRQkgkSY3BPp+mpCQPj
ORc/iEYEEBEKAAYFAlJBjuoACgkQFdaIBMps37Jv6QCeJjxijseWZzn/z7Cv3zSw
SFMAWPwAnig7ZgzoqKqwpvnwAXsQpGSnE8K5iQIcBBABCgAGBQJSQZHeAAoJEJLI
Q0VtpqZu8r8P/jHm+xi5yMz3DVj6emMazJdXLtnnGrKTNw5xL1X10a1Rvmo+sj4J
1gmL+Cy2hM6fl6r054E/BYt9GVGaIC4eYiF6DUzlcPWkwniDKfi1lNJzNIja4qha
nuGrK7EJtZXACRhUuNr2EzEm4dd3nXNaBQZv9FlIn79tk4vVho7wK7uiIT7nseUM
WDh7T0h4IVSs2LWdvP71WDx8acoyfspI35C2pKXB5GRWxnzN+wOl+V0kDn2fGd+n
L7ZEb/c/01h6AfyYJGetCXY1omkXSzgD9KKu/RqZuxL8TMMjNN6z4SAyMTthOHW0
lTK/5h55dJYSquBQwuEAX0Z8RT8S4Nva5LKGr25IpIJuP/TxaHIgdncrin4D0Ftu
G0JMOxjuzNdo2lOiMZ/lqZ75l61C68GuKAhU2Rn1toqc/NReL1yLhHoM1o3EvovA
fZmzX3sOugU2N8L+oiTnFFXezpY5Huup5KUkrX+C5EErBIVfvKjNyhhKFru6Jwy9
z3qiGhxNUFAAzftVYhNT1lDkMNqa4jPjOrcWS6+gwVfQAo9k0p5uwPNbIw59RA2q
/wwhZuRoai4nqN9WkgnwmWn0sS9XO87jwN3uvK0IF97MGPSXNcmAGXlxzF3GBFHY
f/bpagrvT4v+DE+gLpgfplo86oZbjDPsXGhVNu1iffC64R+vecw7r3DiiQIcBBAB
AgAGBQJSRaaeAAoJECZJ5ijF000F4jIP+weCFBeCkY7sprDa61kp10GNF4YujiZ1
QKQDgrQA9ipgv3pN+5ovC/ClzZm5baVGi+j5zWD/blG9YZAApM/kkpAIvCPYIuQ9
b+/crOUjuxyywuE2HSbaFuh66lW7Eox3NT8NNMEl6Zry6m8RDHqTZIpwJPBiCgEc
Nqr/dcbtE0XgzJj94NOWSuq1URpP4wIT9aAVBqdj+0KQDkDk6Sqvmf59Cjt8hihv
XAhOqcguKo8y262ABEO8kxwfqvRYECCE+eDEAPUEyOi/6uI0dQjQMytTWKogPIYg
4wQjpG+Pa7wl7AnxOTBp4WvoS0BuCgjSYaxnwVKHBMvxSCuDHBurLN0wqOaKSg9i
b6m/Vy2vfi9ak8crXJFZ6eLrIxt73gyiozfKEfvd6LBOJ9AeXstnubEs7ltNq9qK
yW4+vR9eABmn/wABxCsHNjW+mmi8xAVhhc1KqZC/D4vm6r8ZwrVAsmTADqcTr6A4
8J15FmIwcaQRQWQ4oytxTGA7rHRFVjrt3YIj/WP62byp8s59HOKJE+mA9q7ksAvn
ToLfrMiNA8/18Zm4CADKUny6GLzpuKgcYwTucqE/zBWUszI2NrJNtaKWafdXyEAw
gBxNIl1FiYF9+ntoMWlqDQROPZLYChRThJvRnNNsT+WwcuSHSFexLl14yrPJ3MBE
e7e+2Vpj9HR2iQIcBBABAgAGBQJSSFmrAAoJEDpFFvNRg85IHx8P/3exX3fATzNw
qfININlvYjxMzuGIHdV03w2pHrOllmPX28/UUHSQL9yRRNhzimm/9v3dvu5XHzjU
zCEozoAa74DnICe8wUfju8sGmN5FKolbvSz7VvcW4mAC5RY85zk+7luTg2wHZIId
girTDrgPSirtYkm+qpuX/k5LAkwmYtH6gghqv7rnYNKUChh+Ga+4yNbsdD7blWYr
52UwnfT3evbgI5GqBMZEbghmqNiR2fcII6trNnuawH646UcucwogxPtLxLuZnslE
pWiHQlAVvHlrCMoEkYqS+NRXOwZF04zTwRpLCUlj0PxlRInvTrEpBd1KVejbkNWK
K7wfyL/bF3rR9pMGWuDC32/9BfjtGgNDXJhQMDGntyAeQfiI3Ml5b5SA8bT5DsR/
FIQDg0UDe5jjeVIEGZKunmRT/IqOLFMpZoMHqNqWW8YrHlpN2o2c0/VqWSLzPKmo
cgqLwlkx5oqvn/F12xUzazGhFTFp6IXpqQVTlkSPdDsVJuidj9ZJLMRoKfFD9tIS
qTocGw3suLqp8u5KZf43THWspBi4tD4IoN5rlrLWtPnkteffyO62NZOOyg7rPUGJ
YlpgAMIDkXmsp58CyXqrL1/art0Ymcy5z8ea1eUCnq/ZJJxrj+HrXuwko4fXTewf
+nzSbJ2GEL/fMBkzAOKl9j5bOPAKwiD9iEYEEBECAAYFAlJKlYkACgkQ20zMSyow
1ymmfwCeLqsUDHBH8JnuaJjEUYqACGWZo88An0wcNy95yGdSJtgBFXNPZQJL2gSu
iF4EEBEIAAYFAlJNSA0ACgkQUYUJaGx+XoKvBAD/bUBqzL0oZtaF7WUDXchb4yki
f0ko+zh832R2Ad0KfygBAKNEUUKOnZFLJ8GZqAXmIWktgMiWFOMSxAXDLsyionoh
iQEcBBABCAAGBQJSRqY/AAoJEFF75hSlwe7HvwsIAJUnlLFMOBLvlBrRuxVeAO6X
8DhytdD5YlRzt866cXq6A/dw57O9qwyyDy3upJIGRy6hYlL18ngGZXv5djcw7Rch
QmvBJ9ROkmkCHLe3+fYn668nkxtgQJHWADd90MGFHkLDWa4Pbu5yJKqkTy3tqx2N
mBDEz317F6mMtyTP56QI8PVnh1p6w0McQIVctS3LOC3u4Wjbw7l3Hwof9Pl3u4BZ
L/gJz5KAozUa5TqNV4SLwtUqXBg7kipwfshXVuQekG9XfMC84GaFMqEKTExscHoF
VdSzrBKHn6VlEl1sdhcdS9aKSOsqMXB25xhBe0hOl4Ddw63j7b47XCqcyqAE5eiJ
AhwEEAEIAAYFAlJHAsIACgkQ8cUWs8g1l1OXkhAAvXUR237vXF/sZCZgG0748Dp0
eOhish/c4ODgW3JRehVWAyAlTAit/+xK6oI5xkQA+z3KO6+/bAtnDQgikAkykgpt
VeVW/6v4GGBarUTc/CTcofEpC3rsrEm1ZwPLyva3YuFFnYHATq/2Qi1a5PnSfj5C
O3fZrOgJTXsm6eNt21bH7RYF4DYi4kDNQHxtBOaEcUhcIkS1MsMz5F+/YeqOd12/
FrcIPDq8c0G3Ol+QsHFx+Y6b5Fp/HgkQem9Pzu7XkNcf7nj5UFJw+qx+BivaVYhJ
8Ugq3pXYkNkhYSy/AP/YYp7moOgpo2tY5e+fqho4pVlrHoPqWTNKJJrfYg2Mg/vP
e0nPxiCU3anmFXhfeZy87QLrA2BrO0I45StbU3uBhzT1dfNW2BIgxg+LqUZyTrZ2
qHq8TOPsnplu5Xn/UjEDQ5soTq1zDpslEjCX36R8wL3eai74HUTjstF4xq+kiXmK
bX7HhGKD9TILRjU+toOPXY0ffbS7FOUijLqOJqWEW1nBpoYoHbGfMHn2g2rNFGzz
wiLZgbL2HZsC+kDoog33s60b//A9E3yFIIiPtk668kQmiobs9Iel3RC+eOdHP8lD
gcMN/Rc/5B1S9a+wYC8VTf6KInUTq5YwC0veKbg1s+Ow7tB9ejqgxtHT7iFjR5NB
oOpVkI4UtHDpewRAW9SJAhwEEAEIAAYFAlJIEEoACgkQi+h5sChzHhzyGQ//e6o3
y+pnFTS4UWjUxFTKCtqJeqtS84jvcbXhXFGKfnXX15atLYkVoD2LcO5yvrFRNvY6
PjRkxJmLo2Lb/MpoDupRMfR1PxotFYuNYodmoHxVUun+1eIFQ5XUSiQSsIsjcUYd
EcOoZFzMfWIHZUOA1cGAtb8WL/Ql6cLcZT3fhPjEO253O8XcxKmU7sJ1sCCh3tyL
CY0dvLffA0jgxEXUYmf3DpC6p+MNkPU3EDk60OUzy4/C2HT26Lt4NR6TNcEZg6O/
lPvmD1/ATO9fAHCb4uEIkqR3VLdeg31EHND32gO/2HXc4Xp2dbV8qs+ts13w5L26
D+94PSsTwYF+85mfgu8nBhPOOn7lqWxIO/1MnOrEIVNu+K/fwh4lu8v/6PJYEYIn
LtYkDH3/LcKTsK6N/2KLbtROlHXeNKXyt0UliINteDlV9xYkn6TtzUcTrZ4Xa3HM
yN5mi+a0vptJFBPxyonMMHDAXRkLR8BexxUJqdk2aupIs0Y0Cet6Vk+8Q9bn04gl
pKjTjnnarJJsTlhrdmVobkDhbEGYB3KyrjZp2JmdYYzAbHXbdp3T7yJ4R3/7aQRg
XJIQgEHjmgFf0Wwzxs1JIN2URDZS8k2pyuI6M8ndPtJiYbwqy1Wcflz57aWYAOVf
b/G4IEsicSd1mHjYjsaMV/kp1kGrWihB/Dt79nWJAhwEEwECAAYFAlJJfnUACgkQ
cTWO1j93QHkxbA//SKb0a0wo5dTJpMp7pUL4pkCx1gR3YCZMyiJHAGnC0vHoTmxI
+6+YAU9DBFWjQk2uqqn+GW+3AxLEN08s2xYvNoxJHUB1bF43HI9lXscGmzfjDR62
cIptcWtggeMw6W66UStdFWUudwDM6WV8BTxg2LYD3upeY69GnN92HinMj90D6PMc
iQjfUdZxZAYLKEhic12dKHpWRC0PH9NIAS0EchARkZQmjyPc4trWevAyhmpqdw+H
gxh9EBH2I194SvIXVuU5Gyl/l3a/6ntEUZnitBijU3uUjRnkS5XkJfqy1MjdrJ0o
ymo8mlxOVFKV879ez10KBnE1BLe9ioylOeGQRNcyYehFE7GmzkZHbOk+Pqd1Meaf
AjNIgQxrqgh8pJ2F8Zd8pGDrYspjICGbbdR0WRNcoN4kckJruTWFQ1xr//Kfwp1b
kCQWRwYcRL/RNVVZuHGgvTiTa2wZNbWfZk3tF9cXaYHIqhYU8l7Lc1zK0Fhv2E1t
Phw4pu495RbGRAFOE14S+QmknIy+DgIkTzQ1s36vnI4SVw9zs0D4Np6d1mF1p4gi
VVrgTQnlF3poZNppCUK9Rih8s5kMnyuRruGm/Lod4jL3wcbBz4sxBkCgrc2pyU1M
SNAjM2V8c7cGLgPOqX0eVqgXJoTnlNItF07aIZyFEA6e7YeiTeXxPfU10Q2JAhwE
EAEIAAYFAlJNhQYACgkQILcN4T8dHk8Ifg/+JzwtYSnxoksuU5H4NIH0fchwRLfq
6VAscqaZYxz/KxH9suEaEGoXxMzeHO91OqPqnvMxkpOGEopUssHGOVXYwtw5XCEL
NCjD8PwSlSpDDe5+lYNjMIjtIXieiGt6ZeOO/0VlVXzRCHEtKoN96ikgEaxkPq/m
ZmfQK1PSEFcPWujBxlWjZl2DHv8eAvgFEfX1kyIoxV2nfrllDMaVFU1NvDB+zXdR
Mg1xyEDiCBsldfmHmhSjylunfJeyjpwye65rAVEO7XkmNBy2SloPIHRCiFLPeLku
oD3XaRFHWsRCOBcfwZy519DrvUUpn5InuXB36zu91Qwh8Bd+UJQIowsBoU9AH8n9
lPsUTCU7dl4UqtZxiaTHQB/3+J4o7+m12I5/Y5ftW8ToCRF5EGKoB4r0zhp2BLWG
e+z5B08HjR1NcQVG6Tv6FwSqpqf5m4yFaiEmUCFMfFMXxXGXSjI3JeJeImKYkxOw
aa8XbH65D9Lj7syDz4DSgZiPC+cUL7SNY73YjH0zfL66nGRzwo4zX9T2ermnvCN7
kw11wIfJVOlLG+D9sNpBiikpMPppW73i7g6VuFReSLgmdNCXCoVWQYeelb4E9ulD
KqFj63VChpRaBEv6fz5YFUKqUVAXy8iiptgY/hbF5V/KVlN9JVYOglQ8oq9sSzKG
lUWPldPvS8nzroSJAhwEEAECAAYFAlJNN0YACgkQTaEU5cSi5X+5JA/+L/Ilu9WT
FeVZmGTYkWEOllp7B0tNQKSCwN5L0zt917Vj81udXBKb9O3PKwjpc9rmUh5dRNOV
vAaIj9moU8NoOm1SYvnVvdyAxF5bajnN8u2cNlkdg+fzCiwwUyGPbCQ5elC/sM4k
FB/kw2c8e5uUHBjTmjh18MEqLQYpVaXxmQcica9EQnDvAXq6Ri2dZA4hpb/+qZXC
iS/fojYQmiigV2XugWFr4+rWfcOFACCKWfr8zP/3p+fs29i91tCUwaW49EA1W4qN
8/3NCugXwGaFZBsQdkZotP4WwPToD8KNaUqRvdiz83TAOL2RDZ7P8NmGNeAExeEm
t0+Z5MQeudfvTUCb7YMJKnPttuQ5rIgsLmDHwNariGMa7km0ZykkTgCw3r11efiv
/DwhR5ygZkb8KNVDIBxHGwhz2c4mbNsmRAas/wDboijT/GvA6NTaAaRhH4RpHej1
Bry1j+5mlhve3fKH5vQ+qfyks4yemjXq4meLf+0hj+SKoGcYXnfJUuOV6TB85FcF
EVncY2uh7bU5et9sdDv0HK0yNMGxBqF9ox0VkXVAg28Q10n49CGHHtHaDzTLGPru
hrQX9bTN2pgNticzZu0zDz2a/+rV/TGZ21pMlfPpmks9jcy0NYIn8twoMpRCqfJL
teKUP3kd0WdyT0Y8pB4X+aCzliVB5BmDxxKISgQQEQoACgUCUk3NEAMFAXgACgkQ
OfuToMruuMAgxQCfScnmgUcnT0J07KNsLKLMGW/6ffAAn2J50o8KV/wu8auCY1o6
EkjpiJt/uQINBFJBjOYBEAC2oNVWMm9p1UwMmKl7srU84rhC1wWzCIpgDBzQk6Q5
4zS0OKuis/zr2B0e2S4qvd8S5bSu0h3k54CNIIj00iKFfSvQDaInU+t2GGV6hXsI
XS7QPFNUCj9n0dKa5BahPPfOvTVdfJvulLMlvygYwsYW5DhfXI1FnD/R1oY3eNib
FFYsmP7++VRrO/O3wvbgl0kng8RndM1M46imFkOOfPEYxHbp30VvcxX2QJwEiki/
d7UjwgonKKCaU5SoZEKa6/oIwAMzQ1YQZEGQBSD5iM/sLblBHsO0UtLKiuknZBdR
rHYHCDwXZvX7nil9dtA7bydhGzPLT/JKKtiNqGtP4uIo6Ao3kctOfq8hv8pmCZo9
HgXVxUlg+OXEOJu7bqREiUcEhm5gn12JlKmb+6anhlfLlHzjU2OgZkGkgWx+biiv
Tacu7ESh/qSHLYrWX1Y7xT0CMbTlrM1CEMaKO/gYHgpd+cvENbnWrw9laY/HAESL
uZBuH93YPKrNUuchCJRYyTg44IHdUQdbNLSww5/00EdY4LyOGUdqT3PMHeo2wnrH
UNcgcLd/gPyjAUCrLrPYFWQpDKzubFfNyJO/JgiqtvnKdG2wsvYYx2fU14wXOIHn
XIxqT0EMwYbKZc5tjcaaDbaAXCdv5kHH6s0Aa3hHeeCT78LSN5cfIZA2ezrDCgLK
4wARAQABiQIlBBgBCgAPBQJSQYzmAhsMBQkIB+1BAAoJEO1n7NZdz2rn4csP/3gl
2XgdJvZsDo3WT5KdqO/LsLbEJLoak4wiQNoij4CjB7zmLFwl6qI0ziUGvw4YyoB7
bPRwyzgG88e502Y3/hx4GzHBSeZwKvWEmIRpCvh4BH+UML+nPqC+QKd0MpJ46+Dk
WKJcip/qxNeky7h65ptA7jjzmhtIFoXv/fM5R87dG1p3DSHMRy/9dqIJOgDx/AYU
2MaECaX87u5o+YAjet6XgcwQc3EiCoBEyJg2YU/ydWAmLs6rPqu/rn8T2yG01VCI
cGARcZl/+WyvEGxAmyAbZWP6CCQNk9fkB9PsoJXhSse0z51ffIpvCJbCiw/AqaDN
jFHmpfolnICv7vZmzn95vno0YQZQlgouZYl3znMJAdNmKsWwMi5mzzuhh2sNiYWv
ChaajFmpIt4EI1tRG78Fs7ieclbOvd/CWpY7os87usJp9Qrr+Z1g8m3gKmYN7ega
e10/9RUDXRlDupZgdPM0raF4Gbg0djRAwFdigATlscwIOc1hU3hBFXFTKOxcp+CM
7KLSNkdf738IeKEhdoKo4jgx0vBHHt1TCGgo63nX39aWHvXDSq+D2RW3rcDsS3Kv
vGP8g+kQZREN8P8SFdefSh99Yvz4EpwtinVNun2Al7cBv8XdU5a5p8yWk434iLhg
R6bnoCX8SLywMD4E3tynDujld/4cAbvQJ1xEOftW<br>
=Ba2T<br>
-----END PGP PUBLIC KEY BLOCK-----
<p>
Hope you brought a zoom lens.
<h2>Command Line</h2>
<p>
The signify tool is really just an interface to the cryptographic routines.
After some initial debate, all arguments are specified with command line flags.
There are no positional arguments, such as the source and destination arguments
for cp or mv. I value explicit verbosity over implicit mistakes.
For starters, most signify usage is going to be embedded in scripts. Typing a
few extra characters won't kill you. Even for casual use, it can save you
a trip to the man page. Is the order sign the message with the key, or use the
key to sign the message? I still can't use ln without reading the man page every
time. Somebody explained it, but then I still got it backwards in my head.
<h2>Artifacts</h2>
<p>
Before we go into how signing and verifying work in progress, I'm going to
digress to define the term artifact. Artifacts are what we ultimately wish to
verify. This includes the built releases and packages. It also includes the
errata, since they are like an addendum to the release. But it doesn't include
miscellaneous communications or announcements or the web site. I introduce
this term because in crypto speak we usually talk about signing and verifying
messages, which is exactly what signify does, but that's not to say we use
it for messages in general.
<h2>Usage</h2>
<p>
If you've installed OpenBSD recently, you've probably noticed the installer
splits the download and untar operations into two phases, which allows it to
verify the integrity and authenticity of the sets before installation. As
before, the sets are actually verified by SHA256 checksum, and it is the SHA256
file that is signed. Assuming SHA256 checksums cannot be forged, this then
creates a chain of trust. If the signature matches, then these checksums are
the same checksums that were on the signing machine. If the checksums match,
then these are the same files that were on the signing machine. From us, to you.
<p>
The only component that you need to verify manually is the installer. I'm not
thrilled about this, because once you have OpenBSD installed, you have all the
parts needed to verify the next upgrade. I would like for it to be possible to
run a simple command, that can download and verify a new installer for you,
using the existing running system. pkg_add essentially does this for package
upgrades already, we're just missing a tiny piece to close the loop in base.
<p>
pkg_add also uses signify behind the scenes to verify every package. Unless
something goes wrong, this is even more transparent to the user. The
signature scheme is similar. Packages already contained SHA256 checksums for
integrity checking, so again, it's those checksums that are signed. However,
the signature is not available separately. It's contained entirely within each
package. The packages data contains too much data to atomically sign all the
packages. Anybody attempting to update during an rsync would see too many
failures.
<h2>Key Rotation</h2>
<p>
After each release of OpenBSD, we generate a new key pair for the release
after next. That's plus two. For example, after 5.6 was released, keys for 5.8
were generated. This way, the 5.8 keys are then included in the 5.7 release.
So, if you upgrade every release, you will have an unbroken chain of keys
back to your initial installation. We don't directly sign keys with keys,
however, but the next key is implicity signed by its inclusion in a signed release.
Each key is tied to a release and only used for artifacts relating to that
release.
<p>
We do this for a couple reasons. First, if you don't have a key rotation plan
in place in case of emergency, your emergency will end poorly. Trying to
actually recover from a compromised key is more or less impossible in my
opinion. Revocation is probably a cure worse than the disease. Without any
great effort, however, our key rotation schedule will automatically cycle
out the bad key. Even if we do nothing, or never notice the compromised key,
its utility to an adversary is limited. The tried and true solution to
many problems: ignore it until it goes away.
<p>
Additionally, we have an automatic upgrade path established if we need to
switch to a different algorithm.
<h2>Key Infrastructure</h2>
<p>
I've covered how signify helps get OpenBSD from us to you. But that's assuming
you have a trusted signify public key. That's an egg. As also mentioned, if you
are already running OpenBSD (i.e., the chicken), that includes the next key. If
you have either the chicken or the egg, you're all set. But what about people
with neither?
<p>
There are no key servers for signify. No web of trust. Just keys. The good
news is the keys are pretty small. As demonstrated. We can stick them just about
everywhere, and we do. They're on the web site, they're on twitter, they're on
the top side of CD. 56 base64 characters. You can read it out loud over the
phone in under a minute. Wide dispersion makes it harder and harder to
intercept all the ways you may get the key and increases the risk of detection
should anybody try some funny business.
<h2>References</h2>
<p>
<a href="http://www.tedunangst.com/flak/post/signify">
signify - sign and verify
</a>
<p>
<a href="http://man.openbsd.org/OpenBSD-current/man1/signify.1">
signify(1) manual
</a>
<p>
<a href="http://marc.info/?l=openbsd-misc&m=139897106806288&w=2">
signing policy
</a>
</div>
![[BACK]](/icons/back.gif){kind=icon}
Return to bsdcan-signify.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www / papers