diff --git a/file-verification/19.png b/file-verification/19.png new file mode 100644 index 0000000..b496a20 Binary files /dev/null and b/file-verification/19.png differ diff --git a/file-verification/index.md b/file-verification/index.md index a367394..8e3faa2 100644 --- a/file-verification/index.md +++ b/file-verification/index.md @@ -188,6 +188,81 @@ Now after this process you have ended with an hash that you authenticated, you c Now after this process you have ended with an hash that you authenticated, you can use this hash with the file verification process to finish and verify the origin of the file downloaded. +#### Minisign (CLI) +For this example, we'll be showing both sides (the project maintainer and user) + +Both sides must have Minisign installed + +```bash +root@localhost:~# apt install minisign +``` + +##### Maintainer +1. The maintainer generates their own key-pair for signing releases. This may prompt for a password to encrypt the secret key. + + ```bash + maintainer@localhost:~$ minisign -G + Please enter a password to protect the secret key. + + Password: + Password (one more time): + Deriving a key from the password in order to encrypt the secret key... done + + The secret key was saved as /home/maintainer/.minisign/minisign.key - Keep it secret! + The public key was saved as minisign.pub - That one can be public. + + Files signed using this key pair can be verified with the following command: + + minisign -Vm -P RWQDhZjc3QZsu74vMEd2MGRi0eYv3PXIVQGMSx+lQL1iVptYFn7p2GeI + ``` + + The public key (which in this case is `RWQDhZjc3QZsu74vMEd2MGRi0eYv3PXIVQGMSx+lQL1iVptYFn7p2GeI`) can be shared with others on a site, or where-ever the downloads are hosted. It can even be shared as a QR code or on the phone thanks to how small it is. + + ```bash + maintainer@localhost:~$ sudo apt install qrencode + maintainer@localhost:~$ qrencode -o pubkey_qr.png RWQDhZjc3QZsu74vMEd2MGRi0eYv3PXIVQGMSx+lQL1iVptYFn7p2GeI + ``` + + ![](19.png) + +2. The maintainer generates a checksum file of the latest binary release, We'll be using SHA-512 for this. + + ```bash + maintainer@localhost:~$ sha512sum program > SHA512SUMS + ``` + +3. The maintainer signs the checksum file with their Minisign key. + + ```bash + maintainer@localhost:~$ minisign -S -m SHA512SUMS + Password: + Deriving a key from the password and decrypting the secret key... done + + ``` + +##### User + +1. The user downloads the program, the SHA512 checksum file, and the signature of that file. + +2. The user verifies the Minisign signature with the public key. + + If it's a good signature, Minisign's output may be something like this: + + ```bash + user@localhost:~$ minisign -Vm SHA512SUMS -P RWQDhZjc3QZsu74vMEd2MGRi0eYv3PXIVQGMSx+lQL1iVptYFn7p2GeI + Signature and comment signature verified + Trusted comment: timestamp:1750090525 file:SHA512SUMS hashed + ``` + + However, if it's a **bad signature**, Minisign's output may be something like this instead: + + ```bash + user@localhost:~$ minisign -Vm SHA512SUMS -P RWQDhZjc3QZsu74vMEd2MGRi0eYv3PXIVQGMSx+lQL1iVptYFn7p2GeI + Signature verification failed + ``` + +3. The user verifies the SHA-512 checksum file with the program, like normal + ----- ### **Zero Trust Policy** #### **!!! Important !!!**