Comparing the SHA256 of a file after it has been uploaded allows us to check that it hasn’t changed. This doesn’t tell us if the file has been tampered with though – it would be easy enough for a someone to change the binary, and then change the hash so it matches.
To check the file was created by the person who said it was created by, we need to verify a cryptographic signature. The steps are fairly simple:
- We upload the new binary, our public key and the signature file.
- We check that the public key has been signed by a trusted certificate authority – if this fails, the CA can’t vouch for the person signing it, so we shouldn’t trust it.
- We decrypt the signature file using the public key. This is the original SHA256 hash of the binary. If we can’t decrypt it, we can’t compare the hashes
- We SHA256 the binary ourselves
- We compare the hash we computed with the file that was uploaded. If the two hashes match, then the binary hasn’t been tampered with, and we can trust it.
I took the previous POC code, and extended it to do just that.
I’ve covered generating a certificate authority before, as well as generating a certificate. The last bit to do is to sign out binary. Again, using OpenSSL:
openssl dgst -sha256 -sign cert/developer.key.pem -out data/sig256 data/data.txt