LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 05-06-2014, 12:52 PM   #1
mancha
Member
 
Registered: Aug 2012
Posts: 484

Rep: Reputation: Disabled
OpenBSD's new John Hancock


With release 5.5, OpenBSD began digitally signing its code. To achieve this, OpenBSD developer Ted Unangst created signify,
a signing tool built around Daniel Bernstein's Ed25519.

Why might you be interested in signify?
  • OpenBSD's proven track record of high-quality secure code
  • Ed25519 delivers strong security (roughly equivalent in strength to 3000-bit RSA according to creator Bernstein)
  • Ed25519 has a small footprint (signify public keys are only 56 bytes after adding non-Ed25519 data and b64 encoding)
  • GnuPG doesn't yet officially support digital signatures using ECC (see note below)
  • You enjoy tinkering with new tools
There are some caveats...
  • Signify is a signing tool only; It provides no encryption support.
  • Signify doesn't operate within a PGP-style "web of trust". That said, my hunch is PGP usage is also primarily
    trust-on-first-use.
  • Generated key pairs can be tough to keep organized. Metadata added to keys (64-bit fingerprints and text
    comments) helps but a careless user can end up in key hell; be careful.
OK, enough verbiage. Where is it? Well, signify was developed for the OpenBSD community with no plans for a portable
version. So, I downloaded source, made some tweaks, and some coffees later packaged a self-contained Linux port that
is 100% compatible with OpenBSD's signify.

The full Slackware build framework can be found at the slackdepot (if building on other Linuxes get signify-linux.tar.bz2
and optionally get and apply passphrase.diff then make && make install).

Enjoy your signing.

--mancha

----
note: GnuPG does provide ECC support in its development branch (starting with 2.1.0beta2). Supported algorithms
include ECDSA for signing and ECDH to establish a shared secret for encryption key generation, per RFC 6637.

Last edited by mancha; 05-07-2014 at 08:51 AM. Reason: mention compatibility
 
Old 05-06-2014, 01:00 PM   #2
moisespedro
Senior Member
 
Registered: Nov 2013
Location: Brazil
Distribution: Slackware
Posts: 1,223

Rep: Reputation: 195Reputation: 195
That is another thing I still get confused about it: GPG, signing keys, etc
 
Old 05-06-2014, 01:18 PM   #3
ponce
LQ Guru
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 7,272

Rep: Reputation: 4284Reputation: 4284Reputation: 4284Reputation: 4284Reputation: 4284Reputation: 4284Reputation: 4284Reputation: 4284Reputation: 4284Reputation: 4284Reputation: 4284
very interesting: thanks for porting it, mancha!
 
Old 05-06-2014, 01:37 PM   #4
GazL
LQ Veteran
 
Registered: May 2008
Posts: 7,013

Rep: Reputation: 5142Reputation: 5142Reputation: 5142Reputation: 5142Reputation: 5142Reputation: 5142Reputation: 5142Reputation: 5142Reputation: 5142Reputation: 5142Reputation: 5142
Mancha, is the output of your linux port completely interoperable with keys/signatures created on OpenBSD?
 
Old 05-06-2014, 03:00 PM   #5
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
ponce: Thanks. I hope you enjoy it.

GazL: Should be 100% inter-operable. Once you build it, try:

Code:
$ wget http://ftp3.usa.openbsd.org/pub/OpenBSD/5.5/SHA256.sig
$ wget http://ftp3.usa.openbsd.org/pub/OpenBSD/src/etc/signify/openbsd-55-base.pub
$ signify -V -e -p openbsd-55-base.pub -m - -x SHA256.sig | tail -n 1
--mancha

Last edited by mancha; 05-06-2014 at 03:15 PM.
 
6 members found this post helpful.
Old 05-06-2014, 04:39 PM   #6
j_v
Member
 
Registered: Oct 2011
Distribution: Slackware64
Posts: 364

Rep: Reputation: 67
This is very interesting. Thanks mancha. Your contributions are exemplary.
 
Old 05-06-2014, 06:04 PM   #7
hitest
Guru
 
Registered: Mar 2004
Location: Canada
Distribution: Slackware, Void
Posts: 7,413

Rep: Reputation: 3831Reputation: 3831Reputation: 3831Reputation: 3831Reputation: 3831Reputation: 3831Reputation: 3831Reputation: 3831Reputation: 3831Reputation: 3831Reputation: 3831
Cool

mancha,

Thanks for doing this. I've only just started to use signify on OpenBSD 5.5(May 1st) and I like it a lot.
 
Old 05-07-2014, 01:04 AM   #8
kooru
Senior Member
 
Registered: Sep 2012
Posts: 1,385

Rep: Reputation: 275Reputation: 275Reputation: 275
Very interesting. Thanks
 
Old 05-07-2014, 07:25 AM   #9
JWJones
Senior Member
 
Registered: Jun 2009
Posts: 1,444

Rep: Reputation: 709Reputation: 709Reputation: 709Reputation: 709Reputation: 709Reputation: 709Reputation: 709
Very cool, nice work.
 
Old 05-08-2014, 11:13 PM   #10
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Thanks for all the positive feedback!

My port is self-contained so there's no reason it can't be used on other "unixes". In fact, the new version I just uploaded to
SF builds and runs on Cygwin. To reflect this, I'm calling it signify-portable rather than signify-linux.

If you successfully build & use this port on another OS (other than Linux and Cygwin-Windows) let me know and I'll add it to the
list.

I took advantage of this update to sync with upstream (very minor changes) and re-arranged README and BACKGROUND a bit.
The HOWTO remains unchanged and I recommend it for a quick example-driven introduction.

Barring force majeur, I don't plan another release until OpenBSD 5.6 ships.

--mancha

Last edited by mancha; 05-08-2014 at 11:42 PM.
 
Old 05-09-2014, 09:46 AM   #11
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
I just uploaded signify-portable-20140509.tar.bz2 which fixes a small dangling descriptor bug </OCD>. All you need to get is
the new tarball and edit the SlackBuild to reflect the new version (i.e. 20140509) or re-download signify.SlackBuild.

--mancha
 
Old 05-09-2014, 09:52 AM   #12
dunric
Member
 
Registered: Jul 2004
Distribution: Void Linux, former Slackware
Posts: 498

Rep: Reputation: 100Reputation: 100
Good stuff. Just studying diff to the orig. sources ;-)
Btw. I would welcome and even like to participate on conversion of OpenBSD's LibreSSL to Linux.
 
Old 05-09-2014, 10:48 AM   #13
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
dunric:

I'm glad you're interested enough to review diffs, that's a great way to learn what I did in my signify porting exercise.

On LibreSSL, I agree with you it's a very interesting project. In fact, I'm actively tracking it and have made a few small contributions.

I've not tried porting it for two reasons: 1) OpenBSD has said they have plans to produce a portable version, and 2) it's still
undergoing so many substantive changes that beginning a port now would be a non-stop effort. That said, I encourage you to look
at what they've done so far if you're interested.

Regarding #1, you will probably be happy to learn OpenBSD is already doing things with a future portable version in mind. There's
another good reason to wait for OpenBSD's portable version: porting LibreSSL can be tricky. It is easy, if you don't really understand
the underlying codebase, to inadvertently undo OpenBSD's improvements or introduce bugs of your own. For example, this
porting effort, already underway, is making decisions I disagree with:

Code:
#include <strings.h>
#define explicit_bzero bzero
The whole point of explicit_bzero is so bzero doesn't get optimized away. That #define effectively neutralizes OpenBSD's improvement.

At some point in the near future, it probably makes sense to start a new thread on this and depending on how things stand maybe
put a group together to look into getting LibreSSL working on Slackware.

--mancha

Last edited by mancha; 05-09-2014 at 09:45 PM. Reason: add some LibreSSL links; discuss porting pitfalls
 
Old 05-27-2014, 04:31 PM   #14
moisespedro
Senior Member
 
Registered: Nov 2013
Location: Brazil
Distribution: Slackware
Posts: 1,223

Rep: Reputation: 195Reputation: 195
It worked flawlessly, thanks mancha
 
Old 09-10-2014, 01:34 AM   #15
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
I recently sync'd my signify port with OpenBSD. Signify now uses hash tables which should improve performance while the handling
of the prng and secure memory is more robust. I recommend those using my port to upgrade to the latest version:
signify-portable 20140902.

The optional passphrase patch is now bundled in the tarball and can be applied, as before, by setting PASSPHRASE to yes. i.e.

Code:
# PASSPHRASE=yes sh signify.SlackBuild
To build the new version, you need three files:
  1. signify.SlackBuild
  2. signify-portable-20140902.tar.bz2
  3. slack-desc
The project directory also contains SHA256 digest lists signed with my PGP & signify keys for those wishing to verify their downloads.

Enjoy.

--mancha
 
  


Reply

Tags
pgp, signing


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] chmod -w john.c'. Then 'rm *' deletes john.c too! stf92 Linux - Newbie 6 03-23-2013 11:18 PM
LXer: The Linux Setup - Terry Hancock, Journalist/Producer LXer Syndicated Linux News 0 10-02-2012 05:50 PM
LXer: You are here Home » Articles » Terry Hancock's articles Lib-Ray Video Standard: Assembling the LXer Syndicated Linux News 0 04-24-2012 03:00 AM
OpenBSD: nvidia drivers, screen resolution and FreeBSD binaries on OpenBSD ::: *BSD 2 08-21-2009 04:18 AM
LXer: Fsck errors in the Linux filesystem on my OpenBSD laptop NOT caused by OpenBSD LXer Syndicated Linux News 1 08-31-2008 03:15 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 08:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration