Thought I'd contribute my brief understanding of
package signing using openssl. I believe this package can
be customized on install so that it only provides the
tools you need. Package signing only needs (I believe) 4:
md5, rsautl, genrsa, and rsa.
First, you need the md5 hash of the package you're
going to distribute:
% openssl md5 package.lrp > package.md5
Then use an RSA or DSA private key to sign the hash
value. I'll use RSA here cuz the docs at www.openssl.org
refere to rsautl a lot more than dsautl:
% openssl rsautl -sign -in package.md5 -inkey priv.key -out package.sig
Note that 'rsautl' requires version 0.9.6 or above.
I'm pretty sure all of this is doable without it, but it'd
take more poking around to be sure.
Anyhow...the signature file is written to package.sig.
This presumes you have a RSA private key in the priv.key file.
To generate one, do this:
% openssl genrsa -rand /dev/random -out priv.key
That generates a private key into priv.key. To get the
public key you should distribute along with package.sig, do this:
% openssl rsa -in priv.key -out pub.key -pubout
Now you got package.sig and pub.key which you can send
out to anyone. The remote user verifies everything's cool with:
% openssl rsautl -in package.sig -verify -inkey pub.key -pubin
I think all the details are there. Hope this helps...
-Scott
> > And Jack Coats pointed out gpgv that might fit on a CD (283932 bytes),
> > to which Jeff Newmiller reminded all that gpg will take that much
> > ramdisk + RAM to run in...
> >
> > gpgv is the verification only part, and looking through the source code,
> > most of it is gpg "stubbed out" (to be as small as possible.) From the
> > looks of it, it is pretty close to what you were describing:
> >
> > gnupg 1.0.6 (gpgv), stripped and upx'ed down to 113522 bytes
> >
> > That's still pretty big. Or do you think that would be small enough? I
> > don't
> > see any way to get a pgp-like app smaller than that.
>
> I'm not looking for something general purpose. The code has to do one
> thing, and one thing only: Given a file, a signature, and a public key,
> verify the signature (and hence the file's) authenticity. The public key
> and signature can be in a pre-defined format, if desired, although it might
> be nice to support varying key lengths.
>
> No pass-phrase encryptions of files, no complex code trying to keep secrets
> from other users of the system (that all belongs on the development side,
> when the package creator signs the package in the first place), no webs of
> trust, just a simple public-key signature verification.
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel
