From 9763f4097f9661c2a7b71e3992059ad2b2619bd7 Mon Sep 17 00:00:00 2001
From: afresh1 <afresh1@openbsd.org>
Date: Sat, 14 Oct 2023 18:10:47 +0000
Subject: [PATCH] Verify but don't overwrite SHA256.sig in fw_update(8)

Signify is happy to overwite the file with the signature stripped off.
However, if we do that, when downloading firmware we lose the ability
to check the signature before verifying checksums on the downloaded files.

Noticed by Thomas <exnihilo () fastmail ! org>
Right deraadt@
---
 usr.sbin/fw_update/fw_update.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/usr.sbin/fw_update/fw_update.sh b/usr.sbin/fw_update/fw_update.sh
index a379d7427fb..ae31ce21084 100644
--- a/usr.sbin/fw_update/fw_update.sh
+++ b/usr.sbin/fw_update/fw_update.sh
@@ -1,5 +1,5 @@
 #!/bin/ksh
-#	$OpenBSD: fw_update.sh,v 1.50 2023/09/28 01:18:52 afresh1 Exp $
+#	$OpenBSD: fw_update.sh,v 1.51 2023/10/14 18:10:47 afresh1 Exp $
 #
 # Copyright (c) 2021,2023 Andrew Hewus Fresh <afresh1@openbsd.org>
 #
@@ -180,7 +180,7 @@ fetch_cfile() {
 		set +o noclobber # we want to get the latest CFILE
 		fetch "$CFILE" || return 1
 		set -o noclobber
-		! signify -qVep "$FWPUB_KEY" -x "$CFILE" -m "$CFILE" &&
+		! signify -qVep "$FWPUB_KEY" -x "$CFILE" -m /dev/null &&
 		    warn "Signature check of SHA256.sig failed" &&
 		    rm -f "$CFILE" && return 1
 	elif [ ! -e "$CFILE" ]; then
-- 
2.20.1