diff --git a/file-verification/19.png b/file-verification/19.png new file mode 100644 index 0000000..b496a20 Binary files /dev/null and b/file-verification/19.png differ diff --git a/file-verification/index.md b/file-verification/index.md index f1d480f..8e3faa2 100644 --- a/file-verification/index.md +++ b/file-verification/index.md @@ -188,6 +188,81 @@ Now after this process you have ended with an hash that you authenticated, you c Now after this process you have ended with an hash that you authenticated, you can use this hash with the file verification process to finish and verify the origin of the file downloaded. +#### Minisign (CLI) +For this example, we'll be showing both sides (the project maintainer and user) + +Both sides must have Minisign installed + +```bash +root@localhost:~# apt install minisign +``` + +##### Maintainer +1. The maintainer generates their own key-pair for signing releases. This may prompt for a password to encrypt the secret key. + + ```bash + maintainer@localhost:~$ minisign -G + Please enter a password to protect the secret key. + + Password: + Password (one more time): + Deriving a key from the password in order to encrypt the secret key... done + + The secret key was saved as /home/maintainer/.minisign/minisign.key - Keep it secret! + The public key was saved as minisign.pub - That one can be public. + + Files signed using this key pair can be verified with the following command: + + minisign -Vm -P RWQDhZjc3QZsu74vMEd2MGRi0eYv3PXIVQGMSx+lQL1iVptYFn7p2GeI + ``` + + The public key (which in this case is `RWQDhZjc3QZsu74vMEd2MGRi0eYv3PXIVQGMSx+lQL1iVptYFn7p2GeI`) can be shared with others on a site, or where-ever the downloads are hosted. It can even be shared as a QR code or on the phone thanks to how small it is. + + ```bash + maintainer@localhost:~$ sudo apt install qrencode + maintainer@localhost:~$ qrencode -o pubkey_qr.png RWQDhZjc3QZsu74vMEd2MGRi0eYv3PXIVQGMSx+lQL1iVptYFn7p2GeI + ``` + + ![](19.png) + +2. The maintainer generates a checksum file of the latest binary release, We'll be using SHA-512 for this. + + ```bash + maintainer@localhost:~$ sha512sum program > SHA512SUMS + ``` + +3. The maintainer signs the checksum file with their Minisign key. + + ```bash + maintainer@localhost:~$ minisign -S -m SHA512SUMS + Password: + Deriving a key from the password and decrypting the secret key... done + + ``` + +##### User + +1. The user downloads the program, the SHA512 checksum file, and the signature of that file. + +2. The user verifies the Minisign signature with the public key. + + If it's a good signature, Minisign's output may be something like this: + + ```bash + user@localhost:~$ minisign -Vm SHA512SUMS -P RWQDhZjc3QZsu74vMEd2MGRi0eYv3PXIVQGMSx+lQL1iVptYFn7p2GeI + Signature and comment signature verified + Trusted comment: timestamp:1750090525 file:SHA512SUMS hashed + ``` + + However, if it's a **bad signature**, Minisign's output may be something like this instead: + + ```bash + user@localhost:~$ minisign -Vm SHA512SUMS -P RWQDhZjc3QZsu74vMEd2MGRi0eYv3PXIVQGMSx+lQL1iVptYFn7p2GeI + Signature verification failed + ``` + +3. The user verifies the SHA-512 checksum file with the program, like normal + ----- ### **Zero Trust Policy** #### **!!! Important !!!** @@ -209,21 +284,3 @@ In this game its all about who has the better chances, no such thing as 100%, th - building projects - Taking the source code and building your own program, this is completely the best zero trust policy existing for software(especially if you know programming languages). check this [post](../compilation/index.md) to know more - - -## **Other Usage of PGP Keys** - -- Git Commit Verification - -- Encrypting Emails - -- General Encryption - -- SSH Authentication - -## **Finishing words** -The dark web its a big place with all the varieties of personalities, from good to bad, from smart to dumb, from kids to adults, you should always keep yourself safe here. - -opsec is important, don't take it lightly, at the end you are your only security. - -Be wary!, Be Paranoid!, Be Invisible!