>> > Come on... twice a year and get the benefit of not being excluded from

quoted text
>> > company policies which require digital signature of software downloaded

>> > through the internet.

>>

>> It's not really OpenBSD's problem that some companies implement pointless

>> "security" policies.

>

>I'm not discussing wether its pointless or not, maybe you don't want

>OpenBSD to be used at all?

You make it sound like OpenBSD is a vendor that is actively marketing to these

companies and that cannot make a sale because it is not meeting a specific set

of criteria in your requirements docs.
Tell you what.  I am sure there are a number of individuals on the list who

own or work at companies that would be more than happy to provide your

employer with a custom-built set of installation binaries and packages, signed

for your digital pleasure.  I expect bi-annual costs, including overhead like

lawyers, errors and omissions insurance, etc, to run mid-5-figures per

release.  Minimum 5 release contract.  Expect much re-writing of contract

clauses.  If there is indeed that much value derived in your organization from

the use of OpenBSD, then this will be a paltry sum to pay.
I am fairly confident that Oracle and Sun and SAP likely aren't PKI'ing their

updates from their websites.  Oh wait.  Are those excluded from the company

policy because you have a contract in place?  
I went through a similar policy a few years ago while doing Sarbanes-Oxley

consulting.  The lawyers and auditors were screaming for validation of free

software, like Perl.  After many months of having tantrums, they, along with

management, finally realized that going down this path would be tantamount to

try to chip away all the morter keeping a brick building together.  The

effects on the integrity of the structure (corporate, in this case) would be

too great to keep pursuing this line of thought.  That policy was abandoned

because it was costing more to implement than the perceived risks they

believed they could mitigate. (i.e. - they had to think in practical terms)
Shortly afterward, I went back to steel-toed-boots engineering, where risks

models really matter because you're trying to ensure that people don't get

killed, that the environment doesn't get polluted, that you don't destroy

assets and that you don't impact production.  Digital signatures are pretty

irrelevant when you need to be concerned about an explosion that could

potentially wipe out a few hundred million in infrastructure in the space of a

few city blocks.  Or when an H2S leak can kill you and your crew in the matter

of a few breaths. 
If it's that important, shut up and hack.  Or otherwise just shut up.