{"id":2664,"date":"2016-10-07T15:38:55","date_gmt":"2016-10-07T15:38:55","guid":{"rendered":"https:\/\/raspberry-projects.com\/pi\/?p=2664"},"modified":"2016-10-08T12:26:23","modified_gmt":"2016-10-08T12:26:23","slug":"signing-files-with-sha256","status":"publish","type":"post","link":"https:\/\/raspberry-projects.com\/pi\/programming-in-c\/security\/signing-files-with-sha256","title":{"rendered":"Signing Files With SHA256"},"content":{"rendered":"

\nSHA256 is widely regarded as a good security hash that's still secure (some others such as MD5 etc are no longer considered secure).  The following process lets you sign and verify files using sha256\n<\/p>\n

\nRaspbian comes with openssl already and the commands used below are console commands  If you want to execute them programmatically you can use the approach shown here<\/a>.\n<\/p>\n

\nWe used this excellent guide to create this page: http:\/\/www.zimuel.it\/sign-and-verify-a-file-using-openssl\/<\/a>\n<\/p>\n

\nGenerate a Key Pair
\n<\/h4>\n

\nYou'll need a public and private key file to be able to sign.  Your private key is never distributed, you keep that safe.  As a additional layer of security the command below will encrypt it with a password you'll also need to supply when using it.\n<\/p>\n

\nYour public key will need to be distributed for anyone \/ your application to use to be able to verify if the file you signed was signed using the corresponding secret private key file.  This type of hashing verification works using clever maths where a public key generated from a private key can verify that a hash was originally created using the secret private key.\n<\/p>\n

\r\n\r\nsudo openssl genrsa -aes128 -passout pass:MY_PRIVATE_KEY_PASSWORD -out \/home\/pi\/projects\/private.pem 4096\r\nsudo openssl rsa -in \/home\/pi\/projects\/private.pem -passin pass:MY_PRIVATE_KEY_PASSWORD -pubout -out \/home\/pi\/projects\/public.pem\r\n<\/code><\/pre>\n
\nReplace MY_PRIVATE_KEY_PASSWORD with your own password that will be required whenever you need to use the private key file.  Don't add quotation marks around it, just provide a string of characters for it to use, e.g. pass:abcd1234z -out \n<\/p>\n
\nIn your "\/home\/pi\/projects\/" folder you will now find the following files:\n<\/p>\n
\n\/home\/pi\/projects\/private.pem
\n\/home\/pi\/projects\/public.pem\n<\/p>\n
\nThese are your key files.\n<\/p>\n
\nGenerate A Hash For A File
\n<\/h4>\n
\nThese commands will generate a hash signature file:\n<\/p>\n
\r\n\r\nsudo openssl dgst -sha256 -sign \/home\/pi\/projects\/private.pem -out \/tmp\/sign.sha256 \/home\/pi\/projects\/my_file_to_be_signed.a\r\nsudo openssl base64 -in \/tmp\/sign.sha256 -out \/home\/pi\/projects\/my_digital_signature_output_file.txt\r\n<\/code><\/pre>\n
\nThe file "\/home\/pi\/projects\/my_digital_signature_output_file.txt" can now be distributed along with your "\/home\/pi\/projects\/my_file_to_be_signed.a" and be used to verify that "my_file_to_be_signed.a" is genuine.\n<\/p>\n
\nThe first command generates the hash, the 2nd command converts it from binary to base64 so its suitable for a text file.\n<\/p>\n
\nVerifying A Hash Of A File
\n<\/h4>\n
\r\n\r\nopenssl base64 -d -in \/home\/pi\/projects\/my_digital_signature_output_file.txt -out \/tmp\/sign.sha256\r\nopenssl dgst -sha256 -verify \/home\/pi\/projects\/public.pem -signature \/tmp\/sign.sha256 \/home\/pi\/projects\/my_file_to_be_signed.a\r\n<\/code><\/pre>\n
\nIf it was successful you will get "Verified OK" response.\n<\/p>\n
\nThe first command converts the base64 hash back to binary and the 2nd command verifies the hash was generated from the same file using the private key.\n<\/p>\n
\n <\/p>\n","protected":false},"excerpt":{"rendered":"
SHA256 is widely regarded as a good security hash that's still secure (some others such as MD5 etc are no longer considered secure).  The following process lets you sign and verify files using sha256 Raspbian comes with openssl already and the commands used below are console commands  If you want to execute them programmatically you can use the approach […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[134],"tags":[],"class_list":["post-2664","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/raspberry-projects.com\/pi\/wp-json\/wp\/v2\/posts\/2664","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/raspberry-projects.com\/pi\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/raspberry-projects.com\/pi\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/raspberry-projects.com\/pi\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/raspberry-projects.com\/pi\/wp-json\/wp\/v2\/comments?post=2664"}],"version-history":[{"count":7,"href":"https:\/\/raspberry-projects.com\/pi\/wp-json\/wp\/v2\/posts\/2664\/revisions"}],"predecessor-version":[{"id":2672,"href":"https:\/\/raspberry-projects.com\/pi\/wp-json\/wp\/v2\/posts\/2664\/revisions\/2672"}],"wp:attachment":[{"href":"https:\/\/raspberry-projects.com\/pi\/wp-json\/wp\/v2\/media?parent=2664"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/raspberry-projects.com\/pi\/wp-json\/wp\/v2\/categories?post=2664"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/raspberry-projects.com\/pi\/wp-json\/wp\/v2\/tags?post=2664"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}