mirror of
https://github.com/InvisibleUp/uvmac.git
synced 2024-12-21 16:30:04 +00:00
1 line
4.9 KiB
HTML
1 line
4.9 KiB
HTML
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title> PSgCheck </title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="canonical" href="index.html">
</head>
<body>
<div>
<i> <a href="https://www.gryphel.com/index.html">www.gryphel.com</a>/c/<a href="../../index.html">minivmac</a>/<a href="../index.html">extras</a>/psgcheck
- <a href="https://www.gryphel.com/c/feedback.html">feedback</a> </i>
</div>
<hr>
<h2 align=center>
PSgCheck
</h2>
<hr>
<p> Download </p>
<blockquote>
<p> <a href="https://www.gryphel.com/d/minivmac/extras/psgcheck/psgcheck-1.1.0.zip">psgcheck-1.1.0.zip</a>
(131K) a zipped hfs disk image and checksum file.
The disk image can be mounted with Mini vMac.
Includes source code.
</p>
</blockquote>
<p>
PSgCheck is a tool for checking digital signatures, just like
<a href="../sigcheck/index.html">SigCheck</a>,
except that it uses a different format that is more
or less compatible with the program MacPGP.
</p>
<p> <img src="https://www.gryphel.com/d/minivmac/extras/psgcheck/screen.gif" width=514 height=344 border=0 alt="Screenshot"> </p>
<p>
The related tool
<a href="../psgwrite/index.html">PSgWrite</a>
creates digital signatures that can be checked by PSgCheck.
Public and secret key pairs for these tools can be created with
<a href="../pmakkeys/index.html">PMakKeys</a>.
</p>
<p>
PSgCheck is in part descended from MacPGP source code, which, as far as
I can tell, allows derived works for noncommercial use. PSgCheck is
generally compatible with MacPGP, but it is easier to legally
distribute, since it doesn’t do cryptography. Since it only does
one thing it should also be easier to use. PSgCheck only handles a
subset of signed messages that MacPGP does.
</p>
<p>
PSgCheck has been replaced by
<a href="../sigcheck/index.html">SigCheck</a>,
which uses a different format, “GRY”. The “GRY”
format is much simpler, and therefore shorter.
</p>
<p>
To attempt to mitigate weaknesses of md5, the GRY signature format
uses two different md5 checksums, the normal one, and the md5
checksum of the input bytes in reverse order. It also includes 3 byte
CRC checksums in normal and reverse order, and 2 bytes of version
info to make a 40 byte digest (320 bits). 384 bits is the minimum
key size supported by SigCheck, which means the maximum digest
size which can be encoded in the signature is 384 bits.
It is hopefully harder to construct two files where these 40 byte
digests match than it is to make the 16 byte md5 checksums match.
</p>
<p>
The signature format used by PSgCheck only uses the 16 byte md5
checksum as a digest. Currently md5 is generally considered
hopelessly weakened, and unsuitable for any purpose. However, as far as
I know, there is still no publicly known practical
“Preimage” attack, which is what is most important for
signing. That is, if I create a file that has a certain md5 checksum,
there is no practical way known yet for someone else to construct a
different file with the same checksum. But it is possible to create two
files with the same md5 checksum. So you have to be careful about
signing a statement that you have looked at a file created by someone
else, with a given md5 checksum, and it is good. Because they might have
another file with the same checksum that isn’t good.
And you have to be careful about signing a statement that contains a
significant amount of text from someone else, especially if your text
that precedes their text is predictable. Which seems to be what happened
to Microsoft with the “Flame” malware.
</p>
<p>
Here is the md5 checksum for the download, signed with
<a href="https://www.gryphel.com/c/keys/k5.html">Gryphel Key 5</a>:
</p>
<blockquote>
<pre>
--------- GRY SIGNED TEXT ---------
0c0c7595afb4c5f80eed669c9579697a psgcheck-1.1.0.zip
------- BEGIN GRY SIGNATURE -------
Gry/4Xa8CFcUzxdN/FGldTdJwYKeOhZAQlL95gcFYC0GhlGNfIPVF7R535S78Dh2
8abQczZlQjk4P4hVOPLAyTkiADAF6AExOX
|