LAB: Digital Signature: Software Signing and Verification

AITI-KACE, CAPT
November, 2021
Digital signature is a means of proving authenticity on messages. Thus, affirming the
originator of the message. Creating and verifying signatures uses the public/private
keypair:
- Sender appends a signature (sign with private key) on the message.
- Receiver receives the signed document and verifies the signature (with the
senders public key)

One common way of distributing software package follows:

 create a hash/checksum of the software package

 sign the hash
 give out both the signed hash and the actual software

If the digital signature and hash verification pass, then software originated from the
right source and is not altered.

The exercise below requires that you create a compressed package, create a
checksum of the compressed package and sign with your private key. Then after,
exchange the signed compressed package with your colleague. And then import the
public key of your colleagues and verify the software.

Sign a software package:

- create the software package (text file):
cd Desktop
echo “This is my software!” > pack.txt

- compress the package with tar:

tar -czvf pack.txt.tar.gz pack.txt

- Create a checksum (SHA hash) of the compressed package with the shasum
utility:
shasum -a 256 pack.txt.tar.gz > packhs

- Sign the checksum with your private key.If prompted a password, enter
password you used in generating the key:
gpg --clearsign -u <keyID> -a packsh
This creates a signed checksum package with a .asc extension. Exchange both
packhs.asc and the pack.txt.tar.gz with someone.
Exchanging your software .asc and .tar.gz
- Upload your software package .asc and .tar.gz to your website for people to
download, verify it authenticity and integrity using your public key and hash
respectively.
- For our Labs, we shall exchange software among ourselves by leveraging on
apache web server.
- Copy the .asc and .tar.gz files to the /var/www/html directory and start the
apache web server.
cp packhs.asc pack.txt.tar.gz /var/www/html
service apache2 start

On the Receiver Side

- Download both the software .tar.gz and the signed hash .asc
E.g. <IP>/packhs.asc
<IP>/pack.txt.tar.gz

Verify the signed package (authenticity of software):

- You need to first of all import the public key of the software provider:
gpg --keyserver <domain of server> --recv-keys <keyID of the software
provider>
- gpg --verify <hash_outpute_file_name>.asc
If verification is successful you will see ‘good signature from ………’

Verify the tar.gz file against the hash (integrity of software):

Make sure the .asc and tar.gz files are in the same directory.
shasum -c <hash_outpute_file_name>.asc

Note: If everything is OK, it implies software integrity is not tempered and that the
.tar.gz is not altered. So it is safe to unzip and install.
tar -xzvf pack.txt.tar.gz
Read the file: vim pack.txt

Assignment
Download and verify the authenticity of veracrypt installer software.