DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th September 2021
jmccue jmccue is offline
Real Name: John McCue
Package Pilot
 
Join Date: Aug 2012
Location: here
Posts: 179
Default signify with -C

I am having an issue with how to use signify(1) on all files in a Directory. Some files could be quite large and based upon my searches and manuals, this shows the issue:

1. To sign the files I do the following:
Code:
$ sha256 * > SHA256
$ signify -S -s my.sec -m SHA256
2. This is where the issue occurs:
Code:
$ signify -C -p my.pub -x SHA256.sig
signify: signature verification failed
3. But this works.
Code:
$ signify -V -p my.pub -m SHA256
Signature Verified

$ sha256 -c SHA256
lots of OKs
Is there something I am missing in step 2 ? Or are we suppose to use the method in step 3 ? Or is the issue with #1 ? Based upon what I read # 2 should work.

Thanks
Reply With Quote
  #2   (View Single Post)  
Old 13th September 2021
jmccue jmccue is offline
Real Name: John McCue
Package Pilot
 
Join Date: Aug 2012
Location: here
Posts: 179
Default signify -C

Well I figured out what to do, this is what I believe is needed.

Sign:
Code:
$ sha256 * > SHA256
signify -S -s my.sec -m SHA256
cat SHA256 >> SHA256.sig
Then this now works:
Code:
signify -C -p my.pub -x SHA256.sig
If I am wrong please let me know

Last edited by jmccue; 13th September 2021 at 11:32 PM. Reason: fixed
Reply With Quote
  #3   (View Single Post)  
Old 14th September 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,017
Default

If you put your checksum list file into the same directory, you can get a failing checksum when you test it. Example:
Code:
$ mkdir /tmp/test && cd /tmp/test
$ touch a b c
$ sha256 * > SHA256
$ sha256 -C SHA256 *
(SHA256) SHA256: FAILED
(SHA256) a: OK
(SHA256) b: OK
(SHA256) c: OK
The checksum file is not static. It is changing contents after it is first tested as the files a b c are checksummed later.

Last edited by jggimi; 14th September 2021 at 11:18 AM. Reason: typo
Reply With Quote
  #4   (View Single Post)  
Old 14th September 2021
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

In that example, I'm thinking that

$ sha256 * > SHA256

will create a checklist file SHA256 containing entries for files a, b and c, but not for itself since it doesn't exist when the * is interpreted. The next command

$ sha256 -C SHA256 *

then tests each file referenced by * against the checklist file entries. At this point the * does pick up SHA256 --- because it now exists --- and this leads to an error as indicated in sha256(1) about the -C option:

Quote:
Any specified file that is not listed in the checklist will generate an error.
Reply With Quote
  #5   (View Single Post)  
Old 14th September 2021
jmccue jmccue is offline
Real Name: John McCue
Package Pilot
 
Join Date: Aug 2012
Location: here
Posts: 179
Default

About SHA256 makes sense, so I just need to do this instead just in case. But I did not originally run into the issue since SHA256* did not exist:
Code:
sha256 * | egrep -v '\(SHA256\)|\(SHA256\.sig\)' > SHA256
"SHA256 -c SHA256" by itself will not work for me since I am trying to use signify(1) for file signing instead of gpg(1).

As things stand, I think I am all set to sign all files (and large files) in a specific directory without using having to use gpg(1), unless someone knows of a better "signify" method of signing files.

It is interesting how this seems to be done, one signs SHA256 instead of each file in the directory. This is different than what you would do using gpg(1) and this method generates just 1 "signed" file instead of multiple *.asc files.

Thanks

Last edited by jmccue; 14th September 2021 at 05:06 PM. Reason: typo
Reply With Quote
  #6   (View Single Post)  
Old 15th September 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,017
Default

Quote:
Originally Posted by IdOp View Post
In that example, I'm thinking that

$ sha256 * > SHA256

will create a checklist file SHA256 containing entries for files a, b and c, but not for itself since it doesn't exist when the * is interpreted.
But that isn't what happens. The checklist file will include a listing for the file "SHA256" with an incorrect (still changing) hash.
Reply With Quote
  #7   (View Single Post)  
Old 15th September 2021
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

Quote:
Originally Posted by jggimi View Post
But that isn't what happens. The checklist file will include a listing for the file "SHA256" with an incorrect (still changing) hash.
Well that is interesting. Of course I didn't have a recent OpenBSD system to check it on, so what I did was run under ksh

% ls * > output

and the output file only showed the a, b and c files initially present. So it seems to be a subtly different behaviour between the two ksh shells in question? I will try to investigate a little more later, and sorry for any confusion.

Last edited by IdOp; 15th September 2021 at 06:27 PM.
Reply With Quote
  #8   (View Single Post)  
Old 15th September 2021
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

Ok this is bizarre ...

I have OpenBSD 6.1 on my laptop. It's not the latest, but better for this purpose than ksh on Linux.

So I tried my first example,

% ls -1 * > output

and sure enough the output file shows, a, b, c and output. Just as jggimi indicated.

So then I tried it with sha256 instead of ls,

% sha256 * > sums

Now the output file "sums" only contained checksums for a, b and c, but not itself ! This is different from the ls example, and from what jggimi found. Very strange. Maybe something has changed between ver. 6.1 and the latest?
Reply With Quote
  #9   (View Single Post)  
Old 16th September 2021
jmccue jmccue is offline
Real Name: John McCue
Package Pilot
 
Join Date: Aug 2012
Location: here
Posts: 179
Default

Quote:
Originally Posted by IdOp View Post
Now the output file "sums" only contained checksums for a, b and c, but not itself ! This is different from the ls example, and from what jggimi found. Very strange. Maybe something has changed between ver. 6.1 and the latest?
On 6.9 this
Code:
sha256 * > SHA256
did not add an entry for SHA256 in the output file. I wonder if the output is saved in memory prior to creating SAH256.
Reply With Quote
Old 16th September 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,017
Default

Hmmm. I see where things went off the rails. I can create the changing checksum file in my usual interactive shell, tcsh. But with ksh, the checksum file itself is not included in the list of files produced. It's a difference of shell interpretation with globbing and piped output.
Reply With Quote
Old 16th September 2021
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

Ahh, good to have that mystery solved.

What I still don't understand is why the similar-seeming examples with ls and sha256 in 6.1 gave different behaviour. But that question is straying off-topic from jmccue's thread so I will leave it there.
Reply With Quote
Old 16th September 2021
jmccue jmccue is offline
Real Name: John McCue
Package Pilot
 
Join Date: Aug 2012
Location: here
Posts: 179
Default

Quote:
Originally Posted by jggimi View Post
Hmmm. I see where things went off the rails. I can create the changing checksum file in my usual interactive shell, tcsh. But with ksh, the checksum file itself is not included in the list of files produced. It's a difference of shell interpretation with globbing and piped output.
Well, interesting, I thought it was odd on OpenBSD via ksh, it was not seeing SHA256.

On my other systems (work) I am also a tcsh user, but on OpenBSD I have been staying with base ksh.

Thanks, good to know
Reply With Quote
Reply

Tags
sha256, signify, verify

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
signify: unable to parse checksum error. jjstorm OpenBSD General 2 5th April 2016 12:44 AM


All times are GMT. The time now is 05:08 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick