Macintosh-Tools/uvmac
1
0
Fork 0
mirror of https://github.com/InvisibleUp/uvmac.git synced 2024-06-10 13:29:44 +00:00
Code Issues Projects Releases Wiki Activity
20082e3307
uvmac/docs/extras/sigcheck/index.html
InvisibleUp 20082e3307 Add original Mini vMac documentation
2020-03-14 15:28:01 -04:00

1 line
8.5 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title> SigCheck </title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="canonical" href="index.html">
</head>
<body>
<div>
<i> <a href="https://www.gryphel.com/index.html">www.gryphel.com</a>/c/<a href="../../index.html">minivmac</a>/<a href="../index.html">extras</a>/sigcheck
- <a href="https://www.gryphel.com/c/feedback.html">feedback</a> </i>
</div>
<hr>
<h2 align=center>
SigCheck
</h2>
<hr>
<p> Download </p>
<blockquote>
<p> <a href="https://www.gryphel.com/d/minivmac/extras/sigcheck/sigcheck-1.1.0.zip">sigcheck-1.1.0.zip</a>
(111K) a zipped hfs disk image and checksum file.
The disk image can be mounted with Mini vMac.
Includes source code.
</p>
</blockquote>
<p>
SigCheck is a tool for checking the digital signatures
found throughout this website, to verify the integrity of downloads.
Also, anyone can create their own signed message for SigCheck using the
<a href="../sigwrite/index.html">SigWrite</a>
tool.
</p>
<p> <img src="https://www.gryphel.com/d/minivmac/extras/sigcheck/screen.gif" width=514 height=344 border=0 alt="Screenshot"> </p>
<p>
To use SigCheck, launch the application, and in the editing window
that appears, paste in a signed message.
For example:
<!-- For example, here is a
checksum for the SigCheck download, signed with
<a href="../../../../c/keys/k1.html">Gryphel Key 1</a>,
the main public key for the Gryphel Project:
-->
</p>
<blockquote>
<pre>
--------- GRY SIGNED TEXT ---------
Twas brillig, and the slithy toves
did gyre and gimble in the wabe:
All mimsy were the borogoves,
and the mome raths outgrabe.
------- BEGIN GRY SIGNATURE -------
Gry/AXuKqWsF8Rh5/Bb045yIowANlvp/V/ymKoDa55Wb7dW/xGfPmca8oLw+Rv9d
cSQpcL+XpzESnWqpK/uNg7lTIe4wdOzo1/s6bHU0u27J+A5EngkYQiAMHeETq6Nx
DM8viQbkNx2UZrDxyOLCGXW1N4txMktyjC3DYzRMH/oKBVHxgP6B2j8sipEgp3Zf
-------- END GRY SIGNATURE --------
</pre>
</blockquote>
<p>
Copy all of the indented text above, which includes the message
body, the signature, and headers and footers.
Then paste it into SigCheck, which requires getting the clipboard
into the emulated Macintosh, if SigCheck is run inside Mini vMac.
You can get
text into the emulated Macintosh using the &ldquo;Host Paste&rdquo;
command in the Edit Menu of SigCheck. It is like the &ldquo;Paste&rdquo; command,
except that it uses the clipboard of the real computer instead
of the clipboard of the emulated computer. The keyboard shortcut
is Command-Option-V. (The &ldquo;Host Paste&rdquo; command has
similar effect to using
<a href="../clipin/index.html">ClipIn</a>
and then the normal &ldquo;Paste&rdquo; command.)
</p>
<p> Then click on the status bar, at the bottom
of the window below the editing area.
(Choosing the &lsquo;Go&rsquo; command from the File menu,
of the emulated Macintosh, will also work. The keyboard shortcut
is Command-G.) </p>
<p>
The editing area is cleared. Next paste in the public key
for the signed message.
For this example:
</p>
<blockquote>
<pre>
----- BEGIN GRY PUBLIC KEY -----
Gry+PKAIAAA/AXuKqWsF8Rh5Ie4/vORBnTxYf8FPpRl/n6hpgDgfJ5MAOsAEyePE
nSfjmL3I9emNTuW/iCIHlCl/WkaWyMQZ+NDb1ZsnSLyOKwOycVkR3JwJbUamM4wy
jUuoWV6jzuhqWZobpGPMSN4B3ivHXtcNVm5SVmnAL13T4FCLnx+TxaYRAQABwA54
------ END GRY PUBLIC KEY ------
</pre>
</blockquote>
<p>
Before continuing, it would be a good idea to set Mini vMac to
<a href="../../hardware.html#processor">All Out speed</a>.
Then, on a modern computer, SigCheck
should take less than a second to run. At 1x speed, or on a real
Macintosh Plus, it takes much longer. The code of SigCheck is intended
to be simple to understand and maintain, as opposed to fast.
</p>
<p>
Now, click on the status bar again. If
all is well, the status bar should say
&ldquo;Good Signature.&rdquo; Otherwise you should get
an alert with some error message.
</p>
<p>
If SigCheck says the signature is good, that is strong evidence
that the message was signed by the owner of the public key
(the person who has the corresponding secret key). But you should be
aware of a number of weaknesses:
</p>
<p>
First, the key might not belong to who you think it does. If someone has
hacked the Gryphel Project website, or is intercepting all traffic
between you and the website, then they can replace the public keys
displayed on this website as well. So you shouldn&rsquo;t just get the
key from the website whenever you need it, you should save your own
copy. That still doesn&rsquo;t protect you when you first get the key.
One possible protection is to find other copies of the key on the web
and compare them.
</p>
<p>
Second, the key might have been stolen. Once anyone else knows the
secret key, it is pretty much useless. Securing information on a
computer is a difficult problem. Actually, it is impossible to prove
that a computer is completely secure. A computer not connected to the
internet is much more likely to be secure, but that is usually
impractical.
</p>
<p>
Third, the key might have been broken. The security of a key depends on
the difficulty of factoring a large number into two primes. In 2009, a
768 bit key was broken. As of this writing (2018), no one has publicly
broken a 1024 bit key, however there have been predictions that it would
be possible around now. It is quite possible that some large government
organization now has that capability. Even if that is so, for most uses
a 1024 bit key is probably still safe for signing. The capability would
most likely be quietly used for decrypting. Forging
signatures would make that capability publicly known, and so less
useful.
</p>
<p>
Forth, the digest algorithm might have been broken. SigCheck computes
a 40 byte digest from the message to compare with the decoded
signature. I believe it to be impractical to construct another
message that results in the same digest. But if someone figures out how,
that would make SigCheck useless.
</p>
<p>
SigCheck is in part descended from MacPGP source code, which, as far as
I can tell, allows derived works for noncommercial use. <!-- SigCheck is
generally compatible with MacPGP, but it is easier to legally
distribute, since it doesn&rsquo;t do cryptography. Since it only does
one thing it should also be easier to use. -->
</p>
<p>
If a file named &ldquo;pub_key.txt&rdquo; exists in the
same folder as the application, then SigCheck will not ask
for the public key, but instead get it from that file.
So you can save time for a frequently used key by setting up
a copy of SigCheck this way. You can save even more time by
&ldquo;wrapping&rdquo; this copy of SigCheck with
<a href="../autoquit/index.html">AutoQuit</a>.
</p>
<p>
The first 12 characters in a signature after the &ldquo;Gry/&rdquo;
(after the &ldquo;BEGIN GRY SIGNATURE&rdquo; line), should
match the first 12 characters in the public key after the
first &ldquo;/&rdquo;.
In the above example, &ldquo;AXuKqWsF8Rh5&rdquo;.
So if you have a text file with many public keys, you can
easily search for the right key for a signature.
</p>
<p>
<a href="../sigchktl/index.html">SigChkTl</a>
is a command line version of SigCheck.
</p>
<p>
SigCheck is a successor to
<a href="../psgcheck/index.html">PSgCheck</a>,
which uses a different format that is more or less compatible
with MacPGP.
</p>
<p>
Here is the md5 checksum for the download, signed with
<a href="https://www.gryphel.com/c/keys/k5.html">Gryphel Key 5</a>:
</p>
<blockquote>
<pre>
--------- GRY SIGNED TEXT ---------
46757c0a10d20e1d52927bdc6f2325f5 sigcheck-1.1.0.zip
------- BEGIN GRY SIGNATURE -------
Gry/4Xa8CFcUzxdN/NC5C7bO9uPNVmJPZvd31PACtsQToj77XzzrikfELiUwjDzv
xFD4GrylqGqMLc863DgDlnno920kTkdIWXoLGo4zBe96kwvu8UU8puOXuB/7JnFY
BDhfT7tzljE0pXd+8Sld/bsSMptWliotg4mMbbbKJ5ItijZFRybi4KZ+jg0Xw+lA
-------- END GRY SIGNATURE --------
</pre>
</blockquote>
<p> See the
<a href="../../appc/index.html">Compiling</a>
page for instructions on compiling SigCheck from the source code. </p>
<p> : </p>
<p> If you find SigCheck useful, please consider
<a href="https://www.gryphel.com/c/help/index.html">helping the Gryphel Project</a>,
of which it is a part. </p>
<a href="https://www.gryphel.com/index.html">
<img src="https://www.gryphel.com/d/gryphel-32.gif" width=32 height=32 border=0
alt="gryphel logo, 1K"
>
</a>
<hr>
<div>
<i> <a href="https://www.gryphel.com/index.html">www.gryphel.com</a>/c/<a href="../../index.html">minivmac</a>/<a href="../index.html">extras</a>/sigcheck
- <a href="https://www.gryphel.com/c/feedback.html">feedback</a> </i>
<br>
copyright (c) 2018 Paul C. Pratt - last update 10/19/2018
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink