Professional Documents
Culture Documents
Digital Signature Lab 1 63 0
Digital Signature Lab 1 63 0
AITI-KACE, CAPT
November, 2021
Digital signature is a means of proving authenticity on messages. Thus, affirming the
originator of the message. Creating and verifying signatures uses the public/private
keypair:
- Sender appends a signature (sign with private key) on the message.
- Receiver receives the signed document and verifies the signature (with the
senders public key)
If the digital signature and hash verification pass, then software originated from the
right source and is not altered.
The exercise below requires that you create a compressed package, create a
checksum of the compressed package and sign with your private key. Then after,
exchange the signed compressed package with your colleague. And then import the
public key of your colleagues and verify the software.
- Create a checksum (SHA hash) of the compressed package with the shasum
utility:
shasum -a 256 pack.txt.tar.gz > packhs
- Sign the checksum with your private key.If prompted a password, enter
password you used in generating the key:
gpg --clearsign -u <keyID> -a packsh
This creates a signed checksum package with a .asc extension. Exchange both
packhs.asc and the pack.txt.tar.gz with someone.
Exchanging your software .asc and .tar.gz
- Upload your software package .asc and .tar.gz to your website for people to
download, verify it authenticity and integrity using your public key and hash
respectively.
- For our Labs, we shall exchange software among ourselves by leveraging on
apache web server.
- Copy the .asc and .tar.gz files to the /var/www/html directory and start the
apache web server.
cp packhs.asc pack.txt.tar.gz /var/www/html
service apache2 start
- Download both the software .tar.gz and the signed hash .asc
E.g. <IP>/packhs.asc
<IP>/pack.txt.tar.gz
Note: If everything is OK, it implies software integrity is not tempered and that the
.tar.gz is not altered. So it is safe to unzip and install.
tar -xzvf pack.txt.tar.gz
Read the file: vim pack.txt
Assignment
Download and verify the authenticity of veracrypt installer software.