-
Notifications
You must be signed in to change notification settings - Fork 0
pseudonymous digital signatures
License
leahneukirchen/sgn
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
= sgn - pseudonymous digital signatures
sgn allows you to mark files such that others can verify the same
person wrote them.
*** THIS IS ALPHA SOFTWARE, NOT YET PROPERLY PEER-REVIEWED. USE AT OWN RISK. ***
== Requirements
* Ruby 1.8.
* OpenSSL 0.9.8 or newer, openssl(1).
* Support for /dev/fd/.
== Usage
Generate a key with `sgn-genkey`:
% sgn-genkey
Generating key...
read EC key
writing EC key
Wrote public key /Users/azurediamond/.sgn.pub.
Do you want to encrypt the private key [recommended] (y/n)? y
read EC key
writing EC key
Enter PEM pass phrase: hunter2
Verifying - Enter PEM pass phrase: hunter2
Wrote private key /Users/azurediamond/.sgn.pem.
Created key with fingerprint 358b3f83e291a784ac4fa141225815da728c0e80.
Sign a file with `sgn`:
% sgn FILE >FILE.signed
Enter pass phrase for /Users/azurediamond/.sgn.pem: hunter2
% tail -2 FILE.signed
SK: MC4wEAYHKoZIzj0CAQYFK4EEAB8DGgADx8YQzTwcnJeizBVIiAr70e+/eamw7exP
SH: MDQCGG8SE8+uf0y8c4uOMi0dJBIf41taxJYg8QIYLAnAy9FyP382fcTFI3ztsGmWCMvaJHf9
Copy it, modify it:
% cp FILE.signed FILE.changed
% ed FILE.changed
,s/private/public/g
w
q
Verify the files with `sgn-check`:
% sgn-check FILE*
file not signed: FILE
358b3f83e291a784ac4fa141225815da728c0e80 FILE.changed FAILED
358b3f83e291a784ac4fa141225815da728c0e80 FILE.signed OK
As you can see, the signed files contain your fingerprints, and the
modification has been discovered. Note that "OK" only means the
content check passed; only the fingerprint identifies the signer!
Thus
f28c6a572a78961cdd91244a41e4e423a4c2334f FILE.changed OK
would mean the file was not signed by the signer of FILE.signed (or
with a different key).
== How it works
sgn uses modern elliptic public cryptography to sign files using ECDSA
and includes the public key in all signed files to allow
offline-checking. Currently, a 192-bit SECG key is used for signing
(which is stronger than an equivalent 1024-bit RSA key), and SHA1 for
hashing (I'd like to use a better hash, but that's all OpenSSL has for
ECDSA.) Due to the compact size of key and hash, both easily fit into
an 80 character line and don't clutter the things you want to sign.
NOTA BENE: You must not lose or leak your private key. There is no
revocation mechanism. Encrypt it if you intend to sign critical
information!
== Miscellaneous
It is your own problem to authorize your fingerprints. There is no PKI.
You can place SH:/SK: markers at places you prefer (e.g. inside
comments) to store the signature there. Avoid SH:/SK: strings elsewhere.
Make a key for each identity you have.
sgn.el provides a few Emacs macros to sign and check buffers.
== Copyright
Written by 1b5c1836ae72386d5812a0eb63135abeacb38c76, see LICENSE.
About
pseudonymous digital signatures
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published