mirror of
https://github.com/InvisibleUp/uvmac.git
synced 2024-11-25 11:31:18 +00:00
1 line
8.5 KiB
HTML
1 line
8.5 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<html>
|
|
|
|
<head>
|
|
<title> SigCheck </title>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
<link rel="canonical" href="index.html">
|
|
</head>
|
|
|
|
<body>
|
|
|
|
<div>
|
|
|
|
<i> <a href="https://www.gryphel.com/index.html">www.gryphel.com</a>/c/<a href="../../index.html">minivmac</a>/<a href="../index.html">extras</a>/sigcheck
|
|
- <a href="https://www.gryphel.com/c/feedback.html">feedback</a> </i>
|
|
|
|
</div>
|
|
|
|
<hr>
|
|
|
|
<h2 align=center>
|
|
SigCheck
|
|
</h2>
|
|
|
|
<hr>
|
|
|
|
<p> Download </p>
|
|
<blockquote>
|
|
|
|
<p> <a href="https://www.gryphel.com/d/minivmac/extras/sigcheck/sigcheck-1.1.0.zip">sigcheck-1.1.0.zip</a>
|
|
(111K) a zipped hfs disk image and checksum file.
|
|
The disk image can be mounted with Mini vMac.
|
|
Includes source code.
|
|
</p>
|
|
|
|
</blockquote>
|
|
|
|
<p>
|
|
SigCheck is a tool for checking the digital signatures
|
|
found throughout this website, to verify the integrity of downloads.
|
|
Also, anyone can create their own signed message for SigCheck using the
|
|
<a href="../sigwrite/index.html">SigWrite</a>
|
|
tool.
|
|
</p>
|
|
|
|
<p> <img src="https://www.gryphel.com/d/minivmac/extras/sigcheck/screen.gif" width=514 height=344 border=0 alt="Screenshot"> </p>
|
|
|
|
<p>
|
|
To use SigCheck, launch the application, and in the editing window
|
|
that appears, paste in a signed message.
|
|
For example:
|
|
<!-- For example, here is a
|
|
checksum for the SigCheck download, signed with
|
|
<a href="../../../../c/keys/k1.html">Gryphel Key 1</a>,
|
|
the main public key for the Gryphel Project:
|
|
-->
|
|
</p>
|
|
|
|
<blockquote>
|
|
<pre>
|
|
--------- GRY SIGNED TEXT ---------
|
|
|
|
Twas brillig, and the slithy toves
|
|
did gyre and gimble in the wabe:
|
|
All mimsy were the borogoves,
|
|
and the mome raths outgrabe.
|
|
|
|
------- BEGIN GRY SIGNATURE -------
|
|
Gry/AXuKqWsF8Rh5/Bb045yIowANlvp/V/ymKoDa55Wb7dW/xGfPmca8oLw+Rv9d
|
|
cSQpcL+XpzESnWqpK/uNg7lTIe4wdOzo1/s6bHU0u27J+A5EngkYQiAMHeETq6Nx
|
|
DM8viQbkNx2UZrDxyOLCGXW1N4txMktyjC3DYzRMH/oKBVHxgP6B2j8sipEgp3Zf
|
|
-------- END GRY SIGNATURE --------
|
|
</pre>
|
|
</blockquote>
|
|
|
|
<p>
|
|
Copy all of the indented text above, which includes the message
|
|
body, the signature, and headers and footers.
|
|
Then paste it into SigCheck, which requires getting the clipboard
|
|
into the emulated Macintosh, if SigCheck is run inside Mini vMac.
|
|
You can get
|
|
text into the emulated Macintosh using the “Host Paste”
|
|
command in the Edit Menu of SigCheck. It is like the “Paste” command,
|
|
except that it uses the clipboard of the real computer instead
|
|
of the clipboard of the emulated computer. The keyboard shortcut
|
|
is Command-Option-V. (The “Host Paste” command has
|
|
similar effect to using
|
|
<a href="../clipin/index.html">ClipIn</a>
|
|
and then the normal “Paste” command.)
|
|
</p>
|
|
|
|
<p> Then click on the status bar, at the bottom
|
|
of the window below the editing area.
|
|
(Choosing the ‘Go’ command from the File menu,
|
|
of the emulated Macintosh, will also work. The keyboard shortcut
|
|
is Command-G.) </p>
|
|
|
|
<p>
|
|
The editing area is cleared. Next paste in the public key
|
|
for the signed message.
|
|
For this example:
|
|
</p>
|
|
|
|
<blockquote>
|
|
<pre>
|
|
----- BEGIN GRY PUBLIC KEY -----
|
|
Gry+PKAIAAA/AXuKqWsF8Rh5Ie4/vORBnTxYf8FPpRl/n6hpgDgfJ5MAOsAEyePE
|
|
nSfjmL3I9emNTuW/iCIHlCl/WkaWyMQZ+NDb1ZsnSLyOKwOycVkR3JwJbUamM4wy
|
|
jUuoWV6jzuhqWZobpGPMSN4B3ivHXtcNVm5SVmnAL13T4FCLnx+TxaYRAQABwA54
|
|
------ END GRY PUBLIC KEY ------
|
|
</pre>
|
|
</blockquote>
|
|
|
|
<p>
|
|
Before continuing, it would be a good idea to set Mini vMac to
|
|
<a href="../../hardware.html#processor">All Out speed</a>.
|
|
Then, on a modern computer, SigCheck
|
|
should take less than a second to run. At 1x speed, or on a real
|
|
Macintosh Plus, it takes much longer. The code of SigCheck is intended
|
|
to be simple to understand and maintain, as opposed to fast.
|
|
</p>
|
|
|
|
<p>
|
|
Now, click on the status bar again. If
|
|
all is well, the status bar should say
|
|
“Good Signature.” Otherwise you should get
|
|
an alert with some error message.
|
|
</p>
|
|
|
|
<p>
|
|
If SigCheck says the signature is good, that is strong evidence
|
|
that the message was signed by the owner of the public key
|
|
(the person who has the corresponding secret key). But you should be
|
|
aware of a number of weaknesses:
|
|
</p>
|
|
|
|
<p>
|
|
First, the key might not belong to who you think it does. If someone has
|
|
hacked the Gryphel Project website, or is intercepting all traffic
|
|
between you and the website, then they can replace the public keys
|
|
displayed on this website as well. So you shouldn’t just get the
|
|
key from the website whenever you need it, you should save your own
|
|
copy. That still doesn’t protect you when you first get the key.
|
|
One possible protection is to find other copies of the key on the web
|
|
and compare them.
|
|
</p>
|
|
|
|
<p>
|
|
Second, the key might have been stolen. Once anyone else knows the
|
|
secret key, it is pretty much useless. Securing information on a
|
|
computer is a difficult problem. Actually, it is impossible to prove
|
|
that a computer is completely secure. A computer not connected to the
|
|
internet is much more likely to be secure, but that is usually
|
|
impractical.
|
|
</p>
|
|
|
|
<p>
|
|
Third, the key might have been broken. The security of a key depends on
|
|
the difficulty of factoring a large number into two primes. In 2009, a
|
|
768 bit key was broken. As of this writing (2018), no one has publicly
|
|
broken a 1024 bit key, however there have been predictions that it would
|
|
be possible around now. It is quite possible that some large government
|
|
organization now has that capability. Even if that is so, for most uses
|
|
a 1024 bit key is probably still safe for signing. The capability would
|
|
most likely be quietly used for decrypting. Forging
|
|
signatures would make that capability publicly known, and so less
|
|
useful.
|
|
</p>
|
|
|
|
<p>
|
|
Forth, the digest algorithm might have been broken. SigCheck computes
|
|
a 40 byte digest from the message to compare with the decoded
|
|
signature. I believe it to be impractical to construct another
|
|
message that results in the same digest. But if someone figures out how,
|
|
that would make SigCheck useless.
|
|
</p>
|
|
|
|
<p>
|
|
SigCheck is in part descended from MacPGP source code, which, as far as
|
|
I can tell, allows derived works for noncommercial use. <!-- SigCheck is
|
|
generally compatible with MacPGP, but it is easier to legally
|
|
distribute, since it doesn’t do cryptography. Since it only does
|
|
one thing it should also be easier to use. -->
|
|
</p>
|
|
|
|
|
|
<p>
|
|
If a file named “pub_key.txt” exists in the
|
|
same folder as the application, then SigCheck will not ask
|
|
for the public key, but instead get it from that file.
|
|
So you can save time for a frequently used key by setting up
|
|
a copy of SigCheck this way. You can save even more time by
|
|
“wrapping” this copy of SigCheck with
|
|
<a href="../autoquit/index.html">AutoQuit</a>.
|
|
</p>
|
|
|
|
<p>
|
|
The first 12 characters in a signature after the “Gry/”
|
|
(after the “BEGIN GRY SIGNATURE” line), should
|
|
match the first 12 characters in the public key after the
|
|
first “/”.
|
|
In the above example, “AXuKqWsF8Rh5”.
|
|
So if you have a text file with many public keys, you can
|
|
easily search for the right key for a signature.
|
|
</p>
|
|
|
|
<p>
|
|
<a href="../sigchktl/index.html">SigChkTl</a>
|
|
is a command line version of SigCheck.
|
|
</p>
|
|
|
|
<p>
|
|
SigCheck is a successor to
|
|
<a href="../psgcheck/index.html">PSgCheck</a>,
|
|
which uses a different format that is more or less compatible
|
|
with MacPGP.
|
|
</p>
|
|
|
|
<p>
|
|
Here is the md5 checksum for the download, signed with
|
|
<a href="https://www.gryphel.com/c/keys/k5.html">Gryphel Key 5</a>:
|
|
</p>
|
|
|
|
<blockquote>
|
|
<pre>
|
|
--------- GRY SIGNED TEXT ---------
|
|
|
|
46757c0a10d20e1d52927bdc6f2325f5 sigcheck-1.1.0.zip
|
|
|
|
------- BEGIN GRY SIGNATURE -------
|
|
Gry/4Xa8CFcUzxdN/NC5C7bO9uPNVmJPZvd31PACtsQToj77XzzrikfELiUwjDzv
|
|
xFD4GrylqGqMLc863DgDlnno920kTkdIWXoLGo4zBe96kwvu8UU8puOXuB/7JnFY
|
|
BDhfT7tzljE0pXd+8Sld/bsSMptWliotg4mMbbbKJ5ItijZFRybi4KZ+jg0Xw+lA
|
|
-------- END GRY SIGNATURE --------
|
|
</pre>
|
|
</blockquote>
|
|
|
|
<p> See the
|
|
<a href="../../appc/index.html">Compiling</a>
|
|
page for instructions on compiling SigCheck from the source code. </p>
|
|
|
|
<p> : </p>
|
|
|
|
<p> If you find SigCheck useful, please consider
|
|
<a href="https://www.gryphel.com/c/help/index.html">helping the Gryphel Project</a>,
|
|
of which it is a part. </p>
|
|
|
|
<a href="https://www.gryphel.com/index.html">
|
|
<img src="https://www.gryphel.com/d/gryphel-32.gif" width=32 height=32 border=0
|
|
alt="gryphel logo, 1K"
|
|
>
|
|
</a>
|
|
|
|
<hr>
|
|
|
|
<div>
|
|
|
|
<i> <a href="https://www.gryphel.com/index.html">www.gryphel.com</a>/c/<a href="../../index.html">minivmac</a>/<a href="../index.html">extras</a>/sigcheck
|
|
- <a href="https://www.gryphel.com/c/feedback.html">feedback</a> </i>
|
|
<br>
|
|
copyright (c) 2018 Paul C. Pratt - last update 10/19/2018
|
|
|
|
</div>
|
|
|
|
</body>
|
|
|
|
</html>
|