Slackware This Forum is for the discussion of Slackware Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
05-06-2014, 12:52 PM
|
#1
|
Member
Registered: Aug 2012
Posts: 484
Rep:
|
OpenBSD's new John Hancock
With release 5.5, OpenBSD began digitally signing its code. To achieve this, OpenBSD developer Ted Unangst created signify,
a signing tool built around Daniel Bernstein's Ed25519.
Why might you be interested in signify?
- OpenBSD's proven track record of high-quality secure code
- Ed25519 delivers strong security (roughly equivalent in strength to 3000-bit RSA according to creator Bernstein)
- Ed25519 has a small footprint (signify public keys are only 56 bytes after adding non-Ed25519 data and b64 encoding)
- GnuPG doesn't yet officially support digital signatures using ECC (see note below)
- You enjoy tinkering with new tools
There are some caveats...
- Signify is a signing tool only; It provides no encryption support.
- Signify doesn't operate within a PGP-style "web of trust". That said, my hunch is PGP usage is also primarily
trust-on-first-use.
- Generated key pairs can be tough to keep organized. Metadata added to keys (64-bit fingerprints and text
comments) helps but a careless user can end up in key hell; be careful.
OK, enough verbiage. Where is it? Well, signify was developed for the OpenBSD community with no plans for a portable
version. So, I downloaded source, made some tweaks, and some coffees later packaged a self-contained Linux port that
is 100% compatible with OpenBSD's signify.
The full Slackware build framework can be found at the slackdepot (if building on other Linuxes get signify-linux.tar.bz2
and optionally get and apply passphrase.diff then make && make install).
Enjoy your signing.
--mancha
----
note: GnuPG does provide ECC support in its development branch (starting with 2.1.0beta2). Supported algorithms
include ECDSA for signing and ECDH to establish a shared secret for encryption key generation, per RFC 6637.
Last edited by mancha; 05-07-2014 at 08:51 AM.
Reason: mention compatibility
|
|
|
05-06-2014, 01:00 PM
|
#2
|
Senior Member
Registered: Nov 2013
Location: Brazil
Distribution: Slackware
Posts: 1,223
Rep:
|
That is another thing I still get confused about it: GPG, signing keys, etc
|
|
|
05-06-2014, 01:18 PM
|
#3
|
LQ Guru
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 7,272
|
very interesting: thanks for porting it, mancha!
|
|
|
05-06-2014, 01:37 PM
|
#4
|
LQ Veteran
Registered: May 2008
Posts: 7,013
|
Mancha, is the output of your linux port completely interoperable with keys/signatures created on OpenBSD?
|
|
|
05-06-2014, 03:00 PM
|
#5
|
Member
Registered: Aug 2012
Posts: 484
Original Poster
Rep:
|
ponce: Thanks. I hope you enjoy it.
GazL: Should be 100% inter-operable. Once you build it, try:
Code:
$ wget http://ftp3.usa.openbsd.org/pub/OpenBSD/5.5/SHA256.sig
$ wget http://ftp3.usa.openbsd.org/pub/OpenBSD/src/etc/signify/openbsd-55-base.pub
$ signify -V -e -p openbsd-55-base.pub -m - -x SHA256.sig | tail -n 1
--mancha
Last edited by mancha; 05-06-2014 at 03:15 PM.
|
|
6 members found this post helpful.
|
05-06-2014, 04:39 PM
|
#6
|
Member
Registered: Oct 2011
Distribution: Slackware64
Posts: 364
Rep:
|
This is very interesting. Thanks mancha. Your contributions are exemplary.
|
|
|
05-06-2014, 06:04 PM
|
#7
|
Guru
Registered: Mar 2004
Location: Canada
Distribution: Slackware, Void
Posts: 7,413
|
mancha,
Thanks for doing this. I've only just started to use signify on OpenBSD 5.5(May 1st) and I like it a lot.
|
|
|
05-07-2014, 01:04 AM
|
#8
|
Senior Member
Registered: Sep 2012
Posts: 1,385
|
Very interesting. Thanks
|
|
|
05-07-2014, 07:25 AM
|
#9
|
Senior Member
Registered: Jun 2009
Posts: 1,444
|
Very cool, nice work.
|
|
|
05-08-2014, 11:13 PM
|
#10
|
Member
Registered: Aug 2012
Posts: 484
Original Poster
Rep:
|
Thanks for all the positive feedback!
My port is self-contained so there's no reason it can't be used on other "unixes". In fact, the new version I just uploaded to
SF builds and runs on Cygwin. To reflect this, I'm calling it signify-portable rather than signify-linux.
If you successfully build & use this port on another OS (other than Linux and Cygwin-Windows) let me know and I'll add it to the
list.
I took advantage of this update to sync with upstream (very minor changes) and re-arranged README and BACKGROUND a bit.
The HOWTO remains unchanged and I recommend it for a quick example-driven introduction.
Barring force majeur, I don't plan another release until OpenBSD 5.6 ships.
--mancha
Last edited by mancha; 05-08-2014 at 11:42 PM.
|
|
|
05-09-2014, 09:46 AM
|
#11
|
Member
Registered: Aug 2012
Posts: 484
Original Poster
Rep:
|
I just uploaded signify-portable-20140509.tar.bz2 which fixes a small dangling descriptor bug </OCD>. All you need to get is
the new tarball and edit the SlackBuild to reflect the new version (i.e. 20140509) or re-download signify.SlackBuild.
--mancha
|
|
|
05-09-2014, 09:52 AM
|
#12
|
Member
Registered: Jul 2004
Distribution: Void Linux, former Slackware
Posts: 498
Rep:
|
Good stuff. Just studying diff to the orig. sources ;-)
Btw. I would welcome and even like to participate on conversion of OpenBSD's LibreSSL to Linux.
|
|
|
05-09-2014, 10:48 AM
|
#13
|
Member
Registered: Aug 2012
Posts: 484
Original Poster
Rep:
|
dunric:
I'm glad you're interested enough to review diffs, that's a great way to learn what I did in my signify porting exercise.
On LibreSSL, I agree with you it's a very interesting project. In fact, I'm actively tracking it and have made a few small contributions.
I've not tried porting it for two reasons: 1) OpenBSD has said they have plans to produce a portable version, and 2) it's still
undergoing so many substantive changes that beginning a port now would be a non-stop effort. That said, I encourage you to look
at what they've done so far if you're interested.
Regarding #1, you will probably be happy to learn OpenBSD is already doing things with a future portable version in mind. There's
another good reason to wait for OpenBSD's portable version: porting LibreSSL can be tricky. It is easy, if you don't really understand
the underlying codebase, to inadvertently undo OpenBSD's improvements or introduce bugs of your own. For example, this
porting effort, already underway, is making decisions I disagree with:
Code:
#include <strings.h>
#define explicit_bzero bzero
The whole point of explicit_bzero is so bzero doesn't get optimized away. That #define effectively neutralizes OpenBSD's improvement.
At some point in the near future, it probably makes sense to start a new thread on this and depending on how things stand maybe
put a group together to look into getting LibreSSL working on Slackware.
--mancha
Last edited by mancha; 05-09-2014 at 09:45 PM.
Reason: add some LibreSSL links; discuss porting pitfalls
|
|
|
05-27-2014, 04:31 PM
|
#14
|
Senior Member
Registered: Nov 2013
Location: Brazil
Distribution: Slackware
Posts: 1,223
Rep:
|
It worked flawlessly, thanks mancha
|
|
|
09-10-2014, 01:34 AM
|
#15
|
Member
Registered: Aug 2012
Posts: 484
Original Poster
Rep:
|
I recently sync'd my signify port with OpenBSD. Signify now uses hash tables which should improve performance while the handling
of the prng and secure memory is more robust. I recommend those using my port to upgrade to the latest version:
signify-portable 20140902.
The optional passphrase patch is now bundled in the tarball and can be applied, as before, by setting PASSPHRASE to yes. i.e.
Code:
# PASSPHRASE=yes sh signify.SlackBuild
To build the new version, you need three files:
- signify.SlackBuild
- signify-portable-20140902.tar.bz2
- slack-desc
The project directory also contains SHA256 digest lists signed with my PGP & signify keys for those wishing to verify their downloads.
Enjoy.
--mancha
|
|
|
All times are GMT -5. The time now is 08:08 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|