Signing Files With SHA256

SHA256 is widely regarded as a good security hash that's still secure (some others such as MD5 etc are no longer considered secure).  The following process lets you sign and verify files using sha256

Raspbian comes with openssl already and the commands used below are console commands  If you want to execute them programmatically you can use the approach shown here.

We used this excellent guide to create this page: http://www.zimuel.it/sign-and-verify-a-file-using-openssl/

Generate a Key Pair

You'll need a public and private key file to be able to sign.  Your private key is never distributed, you keep that safe.  As a additional layer of security the command below will encrypt it with a password you'll also need to supply when using it.

Your public key will need to be distributed for anyone / your application to use to be able to verify if the file you signed was signed using the corresponding secret private key file.  This type of hashing verification works using clever maths where a public key generated from a private key can verify that a hash was originally created using the secret private key. 


sudo openssl genrsa -aes128 -passout pass:MY_PRIVATE_KEY_PASSWORD -out /home/pi/projects/private.pem 4096
sudo openssl rsa -in /home/pi/projects/private.pem -passin pass:MY_PRIVATE_KEY_PASSWORD -pubout -out /home/pi/projects/public.pem

Replace MY_PRIVATE_KEY_PASSWORD with your own password that will be required whenever you need to use the private key file.  Don't add quotation marks around it, just provide a string of characters for it to use, e.g. pass:abcd1234z -out 

In your "/home/pi/projects/" folder you will now find the following files:

/home/pi/projects/private.pem
/home/pi/projects/public.pem

These are your key files.

Generate A Hash For A File

These commands will generate a hash signature file: 


sudo openssl dgst -sha256 -sign /home/pi/projects/private.pem -out /tmp/sign.sha256 /home/pi/projects/my_file_to_be_signed.a
sudo openssl base64 -in /tmp/sign.sha256 -out /home/pi/projects/my_digital_signature_output_file.txt

The file "/home/pi/projects/my_digital_signature_output_file.txt" can now be distributed along with your "/home/pi/projects/my_file_to_be_signed.a" and be used to verify that "my_file_to_be_signed.a" is genuine.

The first command generates the hash, the 2nd command converts it from binary to base64 so its suitable for a text file.

Verifying A Hash Of A File


openssl base64 -d -in /home/pi/projects/my_digital_signature_output_file.txt -out /tmp/sign.sha256
openssl dgst -sha256 -verify /home/pi/projects/public.pem -signature /tmp/sign.sha256 /home/pi/projects/my_file_to_be_signed.a

If it was successful you will get "Verified OK" response.

The first command converts the base64 hash back to binary and the 2nd command verifies the hash was generated from the same file using the private key.

 

USEFUL?
We benefit hugely from resources on the web so we decided we should try and give back some of our knowledge and resources to the community by opening up many of our company’s internal notes and libraries through mini sites like this. We hope you find the site helpful.
Please feel free to comment if you can add help to this page or point out issues and solutions you have found, but please note that we do not provide support on this site. If you need help with a problem please use one of the many online forums.

Comments

Your email address will not be published. Required fields are marked *