Sign v.1.0.7

Advertisement
Advertisement

sign is a file signing and signature verification utility. Its main purpose is to be a simple and convenient extension to a tar/gz/bzip2 line of tools to check file integrity and authenticity. Its small and simple, it does just one thing and hopefully does it well. I needed a tool to digitally sign a bunch of .tar.gz and to allow recepients of the files to easily check, unzip, untar and start enjoying the content as quickly and painlessly as possible. There are OpenSSL, GnuPG, PGP and others and they are of course perfectly capable of file signing. OpenSSL is probably the most widely spread one and best suited for the role of being a universal signing utility. However the state of affairs is such that OpenSSL as an application is not really used for anything more than generating tarball MD5 hashes. The other packages are plain big and complex for a simple task of file integrity checking. Its like getting a professional sound editing suite instead of a dead-simple .mp3 player. The larger crypto-packages also tend to lack modularity in a sense that to get file signing working I would need to configure a handful of core, but otherwise unrelated settings first. Besides if I am not going to use anything but a signing code, the rest will be sitting there collecting dust, creating untrivial shared libraries dependencies and a general feeling of a wasted disk space. First of all, sign is a file processing tool, it reads from the files (including stdin) and writes to the files (including stdout). It can be used to attach signatures to the files or to verify and/or strip them. Between signing and verifying latter will account for a bulk of usage. When checking the signature, sign will check for both integrity and authenticity of the file. An integrity check is done by validating SHA-1 hash embedded into the signature, and an authenticity is ensured by checking signers credentials against a trusted list. sign adopts OpenSSH-style authentication model, where the trust hierarchy is flat (no certificates), an authentication is done with public keys and the list of trusted keys is grown gradually on as-needed basis. Every trusted key is associated with a file name prefix called the title. The key can be trusted for signing files, whose name start with keys title. The same key may be associated with more than one title, but not vice versa. The signature is appended at the end of the file and it carries three bits of information - the title, the public key of the signer and the hash of all preceeding data encrypted with signers private key. The verification is performed as follows: The filename is checked to start with a title The hash is decrypted using the public key The hash is compared to the locally computed value (this ensures integrity) The title is looked up locally, if its known and associated public key is the same as in the signature, the file is deemed authentic. Otherwise if the title is known, but the key is different, the file is considered to be signed by untrusted, impersonating party and the check fails. And lastly, if the title is unknown, the authenticity of the file cannot be established. The user is provided with public key fingerprint, which should be manually authenticated. Then the title and the key are added to the trusted list, and subsequent signatures from the this signer for this particular title will be cleared automatically. In order to sign files, the signing keypair must first be generated. The keypair is maintained on per-user basis and can be created by running sign with a special command-line flag. The signing process itself is as follows (give or take insignificant details): Run the filename through a list of owned titles and find the best match. Alternately accept explicit title from the user using one of the command-line flags. Attach the title, attach public signing key Compute the hash, encrypt it with private signing key Attach encrypted hash. For details on command-line syntax and other operating parameters, please refer to a man page, an online version is here.

sign is a file signing and signature ...

 
  • Sign
  • 1.0.7
  • Alex Pankratov
  • Any Platform
  • BSD
  • 28 Kb
  • 225
 
 

Review Sign

  • captcha
 
 
New Security software
  • NetBull  v.3.0.2.0NetBull is the best and most undetectable keylogger you can find on the Net. By using the latest in PC monitoring techniques, NetBull tracks activities like Internet browsing, keyboard usage, chat convos, Facebook etc. NetBull site: www.netbull.com ...
  • Network LookOut Administrator Pro  v.4.7.13The Network LookOut Administrator Pro allows you to see live screens of remote computers. This way, you can always see what users are doing on the remote computer. You can also take control of a remote computer by controlling the mouse and keyboard.
  • RDS Knight  v.5.3.6RDS-Knight offers up to seven protections for your servers. In minutes, set the right Windows permissions, block brute force bots and ransomware, restrict access by device, time and location, and make sure your users environment stays under control.
  • GlassWire Firewall  v.2.3.321GlassWire's free firewall software helps protect your computer, privacy, and data by monitoring your network activity. Block unknown network connections with GlassWire's built in firewall tool. GlassWire also helps you monitor and protect servers.
  • SigmaTizm  v.1.1SigmaTizm is a virtual additive synthesizer instrument designed for live play. It can be controlled via the computer keyboard or with an external MIDI device and can also be used to control external MIDI devices.
  • Signature Switch  v.1.6Sometimes you dont want specific recipients to see your signature (which may contain "personal" information)."Signature Switch" offers removal (and re-insertion) of your signature with just one click of a button.Moreover you can define different ...