SHA256 is widely regarded as a good security hash that's still secure (some others such as MD5 etc are no longer considered secure). The following process lets you sign and verify files using sha256
Raspbian comes with openssl already and the commands used below are console commands If you want to execute them programmatically you can use the approach shown here.
We used this excellent guide to create this page: http://www.zimuel.it/sign-and-verify-a-file-using-openssl/
Generate a Key Pair
You'll need a public and private key file to be able to sign. Your private key is never distributed, you keep that safe. As a additional layer of security the command below will encrypt it with a password you'll also need to supply when using it.
Your public key will need to be distributed for anyone / your application to use to be able to verify if the file you signed was signed using the corresponding secret private key file. This type of hashing verification works using clever maths where a public key generated from a private key can verify that a hash was originally created using the secret private key.
sudo openssl genrsa -aes128 -passout pass:MY_PRIVATE_KEY_PASSWORD -out /home/pi/projects/private.pem 4096 sudo openssl rsa -in /home/pi/projects/private.pem -passin pass:MY_PRIVATE_KEY_PASSWORD -pubout -out /home/pi/projects/public.pem
Replace MY_PRIVATE_KEY_PASSWORD with your own password that will be required whenever you need to use the private key file. Don't add quotation marks around it, just provide a string of characters for it to use, e.g. pass:abcd1234z -out
In your "/home/pi/projects/" folder you will now find the following files:
These are your key files.
Generate A Hash For A File
These commands will generate a hash signature file:
sudo openssl dgst -sha256 -sign /home/pi/projects/private.pem -out /tmp/sign.sha256 /home/pi/projects/my_file_to_be_signed.a sudo openssl base64 -in /tmp/sign.sha256 -out /home/pi/projects/my_digital_signature_output_file.txt
The file "/home/pi/projects/my_digital_signature_output_file.txt" can now be distributed along with your "/home/pi/projects/my_file_to_be_signed.a" and be used to verify that "my_file_to_be_signed.a" is genuine.
The first command generates the hash, the 2nd command converts it from binary to base64 so its suitable for a text file.
Verifying A Hash Of A File
openssl base64 -d -in /home/pi/projects/my_digital_signature_output_file.txt -out /tmp/sign.sha256 openssl dgst -sha256 -verify /home/pi/projects/public.pem -signature /tmp/sign.sha256 /home/pi/projects/my_file_to_be_signed.a
If it was successful you will get "Verified OK" response.
The first command converts the base64 hash back to binary and the 2nd command verifies the hash was generated from the same file using the private key.