求助：数字签名 或 文件完整性检测

[chengmoYS]

不晓得发错板块没？看了半天，觉得gpg也算个程序、软件，就发这里了。


目的：我现在有一软件，给其他公司使用，其他公司使用我们的软件测试某些硬件环境产生结果文件，然后把结果文件提供给我。

我要求检测其他公司提供过来的结果文件，确定他们没有修改过。

我就是要求能够检测他们是否修改过，当然希望他们保持原始结果文件，没有修改。

当然其他公司也可以查看该结果文件。

我在网上查了查。数字签名技术gpg 和 文件完整性检查tripwire aide，貌似符合我的需要。


但是gpg可以加密解密，请问它提供只给文件添加数字签名，而不加密文件内容吗？

[thlgood]

可以用
openssl md5 filename校验md5值
也可以用
openssl sha1 filename
校验

[chengmoYS]

可以用
openssl md5 filename校验md5值
也可以用
openssl sha1 filename
校验

你没明白我的意思，还是我没有说清楚？！

[chengmoYS]

可以用
openssl md5 filename校验md5值
也可以用
openssl sha1 filename
校验

我这样说，我把软件给他用，软件自动生成，他把结果文件发邮件给我或拷贝给我。什么样的传输过程不管。

关键是我得确定他们没有修改数据。

所以你说的Openssl md5 不行。

[冲浪板]

问题是文件生成的时候就要被签名，否则改后再签名又咋样？

是用软件签名，并且钥匙是在软件内，这样也不可靠啊。

其实就只能加密了。在文件格式上做封闭，也不太可靠。

[chengmoYS]

问题是文件生成的时候就要被签名，否则改后再签名又咋样？

是用软件签名，并且钥匙是在软件内，这样也不可靠啊。

其实就只能加密了。在文件格式上做封闭，也不太可靠。

所以提及gpg啊，我这里有密钥和密匙，在软件中添加公钥，通过公钥加密结果文件。

当结果被送回来，我通过密钥和密匙，验证结果文件是否是被数字签名的。

我就要这个效果。我看了好半天的man gpg但是不太懂。

[冲浪板]

问题是有公钥的话，别人可以给任意文件签名了？

这里有另一个事，你让那单位自己签名，以后出错了就不能赖帐了。

加密、签名应该是两对钥匙，对方用你的公钥加密（只有你来解密），对方用自己的私钥签名，你有他公钥匙来辨认签名。操作的顺序我就记不清了，反正软件自己执行。

[冲浪板]

“签名”，应该用自己的私钥。LZ是借用概念。

不知道软件是不是不让用公钥“签名”呢。

PDF也可以用证书签名，没见说用公钥，是私钥来签的

[daf3707]

冲浪板再身了
话说坛子里原有精华　白话GPG

[冲浪板]

我等11.10呐

[chengmoYS]

如果公钥不能签名，那么我如何保证结果文件是正确的呢？

这个该如何解决？

我也在实验，发现拥有密钥的系统，可以对外发有数字签名的文件。外面的人有公钥，就可以验证那些文件的正确性。

但是现在我要求是反过来的。

[chengmoYS]

GPG :（全称 GnuPG ) 是一款非对称加密(PGP)的免费软件，非对称加密方式简单讲就是指用公钥加密文件，用私钥解密文件。如果你想给谁发送加密信息，首先你要得到他的公钥，然后通过该公钥加密后传给他，对方利用自已的私钥就可解密并读取文件了。

gpg可以实现双方的通讯 所以 拥有公钥的一方也可以加密文件 私钥那边解开得 所以应该也有这样得签名吧 我咋就没整出来

[冲浪板]

签名也是一种加密。
用私钥签名（加密），公钥可以解开，表明文件是拥有私钥的人（一般就一人）签名（加密）的。

[daf3707]

那LZ的需求应该在生成结果文件之时就自动签名，否则无法保证签名前未被修改

[chengmoYS]

那LZ的需求应该在生成结果文件之时就自动签名，否则无法保证签名前未被修改

嗯 应该是使用软件调用gpg给结果文件签名

我弄了2天也就实现了 私钥签名 公钥验证

至于公钥签名 私钥验证 还没弄出来

分发者A，接收者B

分发者A
1.检查密钥对
查看当前系统中是否存在密钥对
[speed@localhost ~]$ gpg --list-keys

[speed@localhost ~]$ gpg --list-public-keys

[speed@localhost ~]$ gpg --list-secret-keys

[speed@localhost ~]$

2.生成密钥对
在当前系统中生成密钥对
[speed@localhost ~]$ gpg --gen-key

gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.



Please select what kind of key you want:

(1) RSA and RSA (default)

(2) DSA and Elgamal

(3) DSA (sign only)

(4) RSA (sign only)

Your selection? #默认

RSA keys may be between 1024 and 4096 bits long.

What keysize do you want? (2048) #默认

Requested keysize is 2048 bits

Please specify how long the key should be valid.

0 = key does not expire

<n> = key expires in n days

<n>w = key expires in n weeks

<n>m = key expires in n months

<n>y = key expires in n years

Key is valid for? (0) #默认

Key does not expire at all

Is this correct? (y/N) y #y



GnuPG needs to construct a user ID to identify your key.



Real name: huiwu.li
#名称
Email address: [email protected] #邮箱

Comment: gpg
#注释
You selected this USER-ID:

"huiwu.li (gpg) <[email protected]>"



Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
#O
You need a Passphrase to protect your secret key.



can't connect to `/home/speed/.gnupg/S.gpg-agent': No such file or directory

#弹出 pinentry-gtk-2 窗口，提示 Enter passphrase，输入passphrase为qwe123。点击 OK。
#弹出 pinentry-gtk-2窗口，提示 Warning: You have entered an insecure passphrase. A passphrase should be at least 8 characters long。点击 Take this one anyway。
We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

gpg: key 0C357A30 marked as ultimately trusted

public and secret key created and signed.



gpg: checking the trustdb

gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model

gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u

pub 2048R/5977ABD5 2011-09-27

Key fingerprint = 7C7D 281A 5D6A 8A58 84D0 21FC 6B80 4F43 5977 ABD5

uid huiwu.li (gpg) <[email protected]>

sub 2048R/CB3645CF 2011-09-27



[speed@localhost ~]$

3.列出密钥对
显示当前系统中的密钥对
[speed@localhost ~]$ gpg --list-keys

/home/speed/.gnupg/pubring.gpg

------------------------------

pub 2048R/5977ABD5 2011-09-27

uid huiwu.li (gpg) <[email protected]>

sub 2048R/CB3645CF 2011-09-27



[speed@localhost ~]$ gpg --list-public-keys

/home/speed/.gnupg/pubring.gpg

------------------------------

pub 2048R/5977ABD5 2011-09-27

uid huiwu.li (gpg) <[email protected]>

sub 2048R/CB3645CF 2011-09-27



[speed@localhost ~]$ gpg --list-secret-keys

/home/speed/.gnupg/secring.gpg

------------------------------

sec 2048R/5977ABD5 2011-09-27

uid huiwu.li (gpg) <[email protected]>

ssb 2048R/CB3645CF 2011-09-27



[speed@localhost ~]$


显示数字签名
[speed@localhost ~]$ gpg --list-sigs

/home/speed/.gnupg/pubring.gpg

------------------------------

pub 2048R/5977ABD5 2011-09-27

uid huiwu.li (gpg) <[email protected]>

sig 3 5977ABD5 2011-09-27 huiwu.li (gpg) <[email protected]>

sub 2048R/CB3645CF 2011-09-27

sig 5977ABD5 2011-09-27 huiwu.li (gpg) <[email protected]>



[speed@localhost ~]$ gpg --check-sigs

/home/speed/.gnupg/pubring.gpg

------------------------------

pub 2048R/5977ABD5 2011-09-27

uid huiwu.li (gpg) <[email protected]>

sig!3 5977ABD5 2011-09-27 huiwu.li (gpg) <[email protected]>

sub 2048R/CB3645CF 2011-09-27

sig! 5977ABD5 2011-09-27 huiwu.li (gpg) <[email protected]>



[speed@localhost ~]$

4.导出公钥
[speed@localhost ~]$ gpg --output public.key --export [email protected]

[speed@localhost ~]$ [ -e public.key ] && echo "1" || echo "0"

1

[speed@localhost ~]$

5.备份密钥
[speed@localhost ~]$ gpg --output secret.key --export-secret-keys [email protected]

[speed@localhost ~]$ [ -e secret.key ] && echo "1" || echo "0"

1

[speed@localhost ~]$

6.分发公钥
将分发者A上的公钥public.key分发到接收者B上

接收者B
1.导入公钥
将分发者A的公钥导入接收者B的当前系统中
[user@localhost ~]$ gpg --list-keys

[user@localhost ~]$ gpg --list-public-keys

[user@localhost ~]$ gpg --list-secret-keys

[user@localhost ~]$

[user@localhost ~]$ gpg --list-sigs

[user@localhost ~]$ gpg --check-sigs

[user@localhost ~]$

[user@localhost ~]$ gpg --import public.key

gpg: key 5977ABD5: public key "huiwu.li (gpg) <[email protected]>" imported

gpg: Total number processed: 1

gpg: imported: 1 (RSA: 1)

[user@localhost ~]$

[user@localhost ~]$ gpg --list-keys [email protected]

pub 2048R/5977ABD5 2011-09-27

uid huiwu.li (gpg) <[email protected]>

sub 2048R/CB3645CF 2011-09-27



[user@localhost ~]$ gpg --list-public-keys [email protected]

pub 2048R/5977ABD5 2011-09-27

uid huiwu.li (gpg) <[email protected]>

sub 2048R/CB3645CF 2011-09-27



[user@localhost ~]$ gpg --list-secret-keys [email protected]

gpg: error reading key: No secret key

[user@localhost ~]$

[user@localhost ~]$ gpg --list-sigs [email protected]

pub 2048R/5977ABD5 2011-09-27

uid huiwu.li (gpg) <[email protected]>

sig 3 5977ABD5 2011-09-27 huiwu.li (gpg) <[email protected]>

sub 2048R/CB3645CF 2011-09-27

sig 5977ABD5 2011-09-27 huiwu.li (gpg) <[email protected]>



[user@localhost ~]$ gpg --check-sigs [email protected]

pub 2048R/5977ABD5 2011-09-27

uid huiwu.li (gpg) <[email protected]>

sig!3 5977ABD5 2011-09-27 huiwu.li (gpg) <[email protected]>

sub 2048R/CB3645CF 2011-09-27

sig! 5977ABD5 2011-09-27 huiwu.li (gpg) <[email protected]>



[user@localhost ~]$

2.核对指纹
[user@localhost ~]$ gpg --fingerprint [email protected]

pub 2048R/5977ABD5 2011-09-27

Key fingerprint = 7C7D 281A 5D6A 8A58 84D0 21FC 6B80 4F43 5977 ABD5

uid huiwu.li (gpg) <[email protected]>

sub 2048R/CB3645CF 2011-09-27



[user@localhost ~]$

3.对公钥进行签名
确认该公钥为分发者A分发的公钥，对该公钥签名。
[user@localhost ~]$ gpg --edit-key [email protected]

gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.





pub 2048R/5977ABD5 created: 2011-09-27 expires: never usage: SC

trust: unknown validity: unknown

sub 2048R/CB3645CF created: 2011-09-27 expires: never usage: E

[ unknown] (1). huiwu.li (gpg) <[email protected]>


Command> list



pub 2048R/5977ABD5 created: 2011-09-27 expires: never usage: SC

trust: unknown validity: unknown

sub 2048R/CB3645CF created: 2011-09-27 expires: never usage: E

[ unknown] (1)* huiwu.li (gpg) <[email protected]>



Command> uid 1



pub 2048R/5977ABD5 created: 2011-09-27 expires: never usage: SC

trust: unknown validity: unknown

sub 2048R/CB3645CF created: 2011-09-27 expires: never usage: E

[ unknown] (1)* huiwu.li (gpg) <[email protected]>



Command> trust 1

pub 2048R/5977ABD5 created: 2011-09-27 expires: never usage: SC

trust: unknown validity: unknown

sub* 2048R/CB3645CF created: 2011-09-27 expires: never usage: E

[ unknown] (1)* huiwu.li (gpg) <[email protected]>



Please decide how far you trust this user to correctly verify other users' keys

(by looking at passports, checking fingerprints from different sources, etc.)



1 = I don't know or won't say

2 = I do NOT trust

3 = I trust marginally

4 = I trust fully

5 = I trust ultimately

m = back to the main menu



Your decision? 5
#5
Do you really want to set this key to ultimate trust? (y/N) y
#y


pub 2048R/5977ABD5 created: 2011-09-27 expires: never usage: SC

trust: ultimate validity: unknown

sub* 2048R/CB3645CF created: 2011-09-27 expires: never usage: E

[ unknown] (1)* huiwu.li (gpg) <[email protected]>

Please note that the shown key validity is not necessarily correct

unless you restart the program.



Command> save

Key not changed so no update needed.

[user@localhost ~]$


场景
场景1
分发者A生成含有数字签名的文件分发到接收者B，接收者B验证文件的正确性

1.在分发者A上生成test，并对该文件使用数字签名，生成test.sig
[speed@localhost ~]$ cat > test << EOF

> gpg

[speed@localhost ~]$ gpg --output test.sig --local-user [email protected] --detach-sign test



You need a passphrase to unlock the secret key for

user: "huiwu.li (gpg) <[email protected]>"

2048-bit RSA key, ID 5977ABD5, created 2011-09-27



can't connect to `/home/speed/.gnupg/S.gpg-agent': No such file or directory

#弹出 pinentry-gtk-2 窗口，提示 Please enter the passphrase to unlock the secret key for the OpenPGP certificate: "huiwu.li (gpg) <[email protected]>" 2048-bit RSA key, ID 0C357A30, created 2011-09-27.，输入passphrase为qwe123。点击 OK。
[speed@localhost ~]$ [ -e test.sig ] && echo "1" || echo "0"

1

[speed@localhost ~]$


分发者A自己先验证下
[speed@localhost ~]$ gpg --verify test.sig

gpg: Signature made Tue 27 Sep 2011 03:08:51 PM CST using RSA key ID 5977ABD5

gpg: Good signature from "huiwu.li (gpg) <[email protected]>"

[speed@localhost ~]$


2.接收者B得到了分发者A上的文件test和test.sig；接收者B验证文件的正确性
文件正确时，即文件内容在分发者A分发之后没有发生改变
[user@localhost ~]$ gpg --verify test.sig

gpg: Signature made Tue 27 Sep 2011 03:08:51 PM CST using RSA key ID 5977ABD5

gpg: Good signature from "huiwu.li (gpg) <[email protected]>"

gpg: WARNING: This key is not certified with a trusted signature!

gpg: There is no indication that the signature belongs to the owner.

Primary key fingerprint: 7C7D 281A 5D6A 8A58 84D0 21FC 6B80 4F43 5977 ABD5

[user@localhost ~]$


文件错误时，即文件内容在分发者A分发之后发生了改变
[user@localhost ~]$ gpg --verify test.sig

gpg: Signature made Tue 27 Sep 2011 03:08:51 PM CST using RSA key ID 5977ABD5

gpg: BAD signature from "huiwu.li (gpg) <[email protected]>"

[user@localhost ~]$

场景2
接收者B生成含有数字签名的文件返回到分发者A，分发者A验证文件的正确性