|
|||
signify with -C
I am having an issue with how to use signify(1) on all files in a Directory. Some files could be quite large and based upon my searches and manuals, this shows the issue:
1. To sign the files I do the following: Code:
$ sha256 * > SHA256 $ signify -S -s my.sec -m SHA256 Code:
$ signify -C -p my.pub -x SHA256.sig signify: signature verification failed Code:
$ signify -V -p my.pub -m SHA256 Signature Verified $ sha256 -c SHA256 lots of OKs Thanks |
|
|||
signify -C
Well I figured out what to do, this is what I believe is needed.
Sign: Code:
$ sha256 * > SHA256 signify -S -s my.sec -m SHA256 cat SHA256 >> SHA256.sig Code:
signify -C -p my.pub -x SHA256.sig Last edited by jmccue; 13th September 2021 at 11:32 PM. Reason: fixed |
|
||||
In that example, I'm thinking that
$ sha256 * > SHA256 will create a checklist file SHA256 containing entries for files a, b and c, but not for itself since it doesn't exist when the * is interpreted. The next command $ sha256 -C SHA256 * then tests each file referenced by * against the checklist file entries. At this point the * does pick up SHA256 --- because it now exists --- and this leads to an error as indicated in sha256(1) about the -C option: Quote:
|
|
|||
About SHA256 makes sense, so I just need to do this instead just in case. But I did not originally run into the issue since SHA256* did not exist:
Code:
sha256 * | egrep -v '\(SHA256\)|\(SHA256\.sig\)' > SHA256 As things stand, I think I am all set to sign all files (and large files) in a specific directory without using having to use gpg(1), unless someone knows of a better "signify" method of signing files. It is interesting how this seems to be done, one signs SHA256 instead of each file in the directory. This is different than what you would do using gpg(1) and this method generates just 1 "signed" file instead of multiple *.asc files. Thanks Last edited by jmccue; 14th September 2021 at 05:06 PM. Reason: typo |
|
||||
Quote:
% ls * > output and the output file only showed the a, b and c files initially present. So it seems to be a subtly different behaviour between the two ksh shells in question? I will try to investigate a little more later, and sorry for any confusion. Last edited by IdOp; 15th September 2021 at 06:27 PM. |
|
||||
Ok this is bizarre ...
I have OpenBSD 6.1 on my laptop. It's not the latest, but better for this purpose than ksh on Linux. So I tried my first example, % ls -1 * > output and sure enough the output file shows, a, b, c and output. Just as jggimi indicated. So then I tried it with sha256 instead of ls, % sha256 * > sums Now the output file "sums" only contained checksums for a, b and c, but not itself ! This is different from the ls example, and from what jggimi found. Very strange. Maybe something has changed between ver. 6.1 and the latest? |
|
|||
Quote:
Code:
sha256 * > SHA256 |
|
||||
Hmmm. I see where things went off the rails. I can create the changing checksum file in my usual interactive shell, tcsh. But with ksh, the checksum file itself is not included in the list of files produced. It's a difference of shell interpretation with globbing and piped output.
|
|
||||
Ahh, good to have that mystery solved.
What I still don't understand is why the similar-seeming examples with ls and sha256 in 6.1 gave different behaviour. But that question is straying off-topic from jmccue's thread so I will leave it there. |
|
|||
Quote:
On my other systems (work) I am also a tcsh user, but on OpenBSD I have been staying with base ksh. Thanks, good to know |
Tags |
sha256, signify, verify |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
signify: unable to parse checksum error. | jjstorm | OpenBSD General | 2 | 5th April 2016 12:44 AM |