LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-10-2007, 02:11 PM   #1
makix
LQ Newbie
 
Registered: Apr 2005
Distribution: fedora
Posts: 16

Rep: Reputation: 0
Lightbulb Package signing and verification


Hi all linux geeks,i want to develop an application that manages signing and verification of the packages.I will do that for a custom linux distribution so it doesnt use .deb or .rpm packaging managers. I want to use a public key infrastructure for that purpose,but never developed something like that.
So the person that packs the software will be able to sign the package and user that downloads it will be able to verify it s source. I searched about other distributions how do they conduct that job but couldn find anything useful. If someone have experience about that topic just post what you think please

 
Old 08-10-2007, 03:37 PM   #2
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Slackware packages are signed with gpg. So, for every package, say, package_name.tgz, there is an accompanying file named package_name.tgz.asc, which is used to certify the authenticity of the package.

The maintainer's public key is available on the official web site (or on downloaded CD-ROM images, etc). Once the public key is imported (gpg --import key_file), packages are verified with gpg --verify package_name.tgz.asc.
 
Old 08-10-2007, 03:49 PM   #3
makix
LQ Newbie
 
Registered: Apr 2005
Distribution: fedora
Posts: 16

Original Poster
Rep: Reputation: 0
Thanks for the reply, i think to store the signature into the package itself,i dont know if it is a good idea or not but seems to me more packed. I dont want to use gpg i want to make that with python. So my plan is like that : for signing

1)Compute all the digests of the files that are inthe package (md5 or sha1) and store into a file
2) Sign that file (private key ) with digests with RSA or something like that

For verification :

1) User imports the public key of the signer
2) Decrypts the file with digests
3) Computes the all digests of the files with md5 or sha1 and compares if all are same the package is verified

It may seems stupid if someone has some ideas to improve it please tell me
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
rpm -Va : package verification jaggy00 Linux - Software 4 05-02-2007 06:29 AM
Signing in avarus LinuxQuestions.org Member Intro 1 04-03-2004 11:31 PM
verification of package *blah* failed FunkyRes Debian 4 03-30-2004 01:40 AM
Use Openssl to do signing and verification johnny.lee Programming 0 02-18-2004 10:30 PM
signing in hotmail wilbertcsci Linux - Software 7 11-02-2003 07:55 AM


All times are GMT -5. The time now is 05:53 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration