Signing files
Page content
Howto sign and verify files using SSL and 3 little shell scripts. This is a good way to make sure that no one is messing with your binaries …
Recipe:
1st: Create 3 shell scripts
To create script “sslkeys.sh” just execute:
cat <<-EOF >sslkeys.sh
#!/bin/bash
KEY="\`id -un\`@\`hostname -s\`"
# create private key ...
[ ! -f \$KEY.pem ] && {
openssl genrsa -out \$KEY.pem 2048
chmod 0600 \$KEY.pem
}
# create public key ...
[ ! -f \$KEY.pub ] && {
openssl rsa -in \$KEY.pem -outform PEM -pubout -out \$KEY.pub
}
EOF
chmod 0755 sslkeys.sh
To create script “sslsign.sh” just execute:
cat <<-EOF >sslsign.sh
#!/bin/bash
KEY="\`id -un\`@\`hostname -s\`"
[ \$# -lt 1 ] && {
echo "usage: \`basename \$0\` <filename>"
exit 1
}
[ ! -f \$1 ] && {
echo "ERROR: file [ \$1 ] not found!"
exit 1
}
# create signature ...
openssl dgst -sha256 -sign \$KEY.pem \$1 |
openssl base64 -out \`basename \$1\`.signature
echo "OK. signature for file [ \$1 ] is:"
cat \`basename \$1\`.signature
EOF
chmod 0755 sslsign.sh
To create script “sslcheck.sh” just execute:
cat <<-EOF >sslcheck.sh
#!/bin/bash
KEY="\`id -un\`@\`hostname -s\`"
[ \$# -lt 1 ] && {
echo "usage: \`basename \$0\` <filename>"
exit 1
}
[ ! -f \$1 ] && {
echo "ERROR: file [ \$1 ] not found!"
exit 1
}
# generate sha256 checksum from signature ...
cat \`basename \$1\`.signature | openssl base64 -d -out \`basename \$1\`.sha256
# verify the file using the signature ...
openssl dgst -sha256 -verify \$KEY.pub -signature \`basename \$1\`.sha256 \$1
# cleanup
rm -f \`basename \$1\`.sha256
EOF
chmod 0755 sslcheck.sh
2nd: Create your keys
support@gauls:~$ ./sslkeys.sh
Generating RSA private key, 2048 bit long modulus
...................................................+++
...+++
e is 65537 (0x010001)
writing RSA key
3rd: Sign your file
In this example i’m using one of the SMITUX release files …
support@gauls:~$ ./sslsign.sh /stx-image-8.1.24.tar.gz
OK. signature for file [ /stx-image-8.1.24.tar.gz ] is:
H6UcPrsghxYUuaS9B0kQMCZNvFODm2MpGDOWdLTWpU5m1EFa2kQuwKtoyVVP85sV
QvFvNI+u1C6r0KVPS40i0vhvEir8pSw0rrbSs+U3gSm6Yn83Ztp6E8mP2RHO7nF7
7VTUHW0N6JICh1fF4n9MhWkiDPIkXNZn24aroH1jq3xM+iVLjdIsNR6ZFDfWCq+E
qy+6Y4+EVj4wyLRQR6f4ljqiLpuGjWB3Hcr0rx0r4vop/tPHxU+MrRuJcCITX+Y0
97/Nk7RU+mXPES1tx/X/a3DpaA59CCpYGtubvs9EL/t9ci8c8ONNYQ0cdww9Bhoq
RQuEMAA45zYGc9sg8/omgA==
4th: Offer your files for download
Let’s say you want to provide a big download (in my case a SMITUX release). The put the following files on your FTP server:
support@gauls:~$ ls -la *pub *signature /stx*tar.gz
-rw-r--r-- 1 root root 566986946 Apr 6 21:22 /stx-image-8.1.24.tar.gz
-rw-r--r-- 1 support support 350 May 16 17:21 stx-image-8.1.24.tar.gz.signature
-rw-r--r-- 1 support support 451 May 16 17:21 support@gauls.pub
I know it’s trivial BUT:
KEEP YOUR PRIVATE KEY SECRET IN ANY CASE!
I repeat: DO NOT OFFER YOUR PRIVATE KEY FOR DOWNLOAD!
IMPORTANT: Your users will also need the check script (sslcheck.sh)!
5th: The user checks the file
support@gauls:~$ ls -la stx-image-8.1.24.tar.gz.signature support@gauls.pub /stx-image-8.1.24.tar.gz sslcheck.sh
-rw-r--r-- 1 root root 566986946 Apr 6 21:22 /stx-image-8.1.24.tar.gz
-rwxr-xr-x 1 support support 456 May 16 17:20 sslcheck.sh
-rw-r--r-- 1 support support 350 May 16 17:21 stx-image-8.1.24.tar.gz.signature
-rw-r--r-- 1 support support 451 May 16 17:21 support@gauls.pub
support@gauls:~$ ./sslcheck.sh /stx-image-8.1.24.tar.gz
Verified OK
Now:
- if somebody changes/breaks the TAR file he or she is f***
- if somebody changes/breaks the .signature file he or she is f***
- if somebody changes/breaks the pubkey (.pub) he or she is f***
Alternative
You can use “md5sum”. It is simple and fast but it is not as secure as openssl is.