mirror of
http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/opsec-blogposts.git
synced 2025-07-01 22:16:41 +00:00
Merge pull request 'minisign' (#20) from cynthia/opsec-blogposts:main into main
Reviewed-on: http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/opsec-blogposts/pulls/20
This commit is contained in:
commit
286e99ca76
2 changed files with 75 additions and 18 deletions
BIN
file-verification/19.png
Normal file
BIN
file-verification/19.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 475 B |
|
|
@ -188,6 +188,81 @@ Now after this process you have ended with an hash that you authenticated, you c
|
||||||
|
|
||||||
Now after this process you have ended with an hash that you authenticated, you can use this hash with the file verification process to finish and verify the origin of the file downloaded.
|
Now after this process you have ended with an hash that you authenticated, you can use this hash with the file verification process to finish and verify the origin of the file downloaded.
|
||||||
|
|
||||||
|
#### Minisign (CLI)
|
||||||
|
For this example, we'll be showing both sides (the project maintainer and user)
|
||||||
|
|
||||||
|
Both sides must have Minisign installed
|
||||||
|
|
||||||
|
```bash
|
||||||
|
root@localhost:~# apt install minisign
|
||||||
|
```
|
||||||
|
|
||||||
|
##### Maintainer
|
||||||
|
1. The maintainer generates their own key-pair for signing releases. This may prompt for a password to encrypt the secret key.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
maintainer@localhost:~$ minisign -G
|
||||||
|
Please enter a password to protect the secret key.
|
||||||
|
|
||||||
|
Password:
|
||||||
|
Password (one more time):
|
||||||
|
Deriving a key from the password in order to encrypt the secret key... done
|
||||||
|
|
||||||
|
The secret key was saved as /home/maintainer/.minisign/minisign.key - Keep it secret!
|
||||||
|
The public key was saved as minisign.pub - That one can be public.
|
||||||
|
|
||||||
|
Files signed using this key pair can be verified with the following command:
|
||||||
|
|
||||||
|
minisign -Vm <file> -P RWQDhZjc3QZsu74vMEd2MGRi0eYv3PXIVQGMSx+lQL1iVptYFn7p2GeI
|
||||||
|
```
|
||||||
|
|
||||||
|
The public key (which in this case is `RWQDhZjc3QZsu74vMEd2MGRi0eYv3PXIVQGMSx+lQL1iVptYFn7p2GeI`) can be shared with others on a site, or where-ever the downloads are hosted. It can even be shared as a QR code or on the phone thanks to how small it is.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
maintainer@localhost:~$ sudo apt install qrencode
|
||||||
|
maintainer@localhost:~$ qrencode -o pubkey_qr.png RWQDhZjc3QZsu74vMEd2MGRi0eYv3PXIVQGMSx+lQL1iVptYFn7p2GeI
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
2. The maintainer generates a checksum file of the latest binary release, We'll be using SHA-512 for this.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
maintainer@localhost:~$ sha512sum program > SHA512SUMS
|
||||||
|
```
|
||||||
|
|
||||||
|
3. The maintainer signs the checksum file with their Minisign key.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
maintainer@localhost:~$ minisign -S -m SHA512SUMS
|
||||||
|
Password:
|
||||||
|
Deriving a key from the password and decrypting the secret key... done
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
##### User
|
||||||
|
|
||||||
|
1. The user downloads the program, the SHA512 checksum file, and the signature of that file.
|
||||||
|
|
||||||
|
2. The user verifies the Minisign signature with the public key.
|
||||||
|
|
||||||
|
If it's a good signature, Minisign's output may be something like this:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
user@localhost:~$ minisign -Vm SHA512SUMS -P RWQDhZjc3QZsu74vMEd2MGRi0eYv3PXIVQGMSx+lQL1iVptYFn7p2GeI
|
||||||
|
Signature and comment signature verified
|
||||||
|
Trusted comment: timestamp:1750090525 file:SHA512SUMS hashed
|
||||||
|
```
|
||||||
|
|
||||||
|
However, if it's a **bad signature**, Minisign's output may be something like this instead:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
user@localhost:~$ minisign -Vm SHA512SUMS -P RWQDhZjc3QZsu74vMEd2MGRi0eYv3PXIVQGMSx+lQL1iVptYFn7p2GeI
|
||||||
|
Signature verification failed
|
||||||
|
```
|
||||||
|
|
||||||
|
3. The user verifies the SHA-512 checksum file with the program, like normal
|
||||||
|
|
||||||
-----
|
-----
|
||||||
### **Zero Trust Policy**
|
### **Zero Trust Policy**
|
||||||
#### **!!! Important !!!**
|
#### **!!! Important !!!**
|
||||||
|
|
@ -209,21 +284,3 @@ In this game its all about who has the better chances, no such thing as 100%, th
|
||||||
|
|
||||||
- <b>building projects</b> - Taking the source code and building your own program, this is completely the best zero trust policy existing for software(especially if you know programming languages).
|
- <b>building projects</b> - Taking the source code and building your own program, this is completely the best zero trust policy existing for software(especially if you know programming languages).
|
||||||
check this [post](../compilation/index.md) to know more
|
check this [post](../compilation/index.md) to know more
|
||||||
|
|
||||||
|
|
||||||
## **Other Usage of PGP Keys**
|
|
||||||
|
|
||||||
- <b>Git Commit Verification</b>
|
|
||||||
|
|
||||||
- <b>Encrypting Emails</b>
|
|
||||||
|
|
||||||
- <b>General Encryption</b>
|
|
||||||
|
|
||||||
- <b>SSH Authentication</b>
|
|
||||||
|
|
||||||
## **Finishing words**
|
|
||||||
The dark web its a big place with all the varieties of personalities, from good to bad, from smart to dumb, from kids to adults, you should always keep yourself safe here.
|
|
||||||
|
|
||||||
opsec is important, don't take it lightly, at the end you are your only security.
|
|
||||||
|
|
||||||
Be wary!, Be Paranoid!, Be Invisible!
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue