Can you tell me how to generate a checksum/hash for a .tar archive with a php script of mine that I offer for download? I mainly want this as integrity verification mechanism. Is there any free/simple/alternative way instead of obtaining a code signing certificate (eg Comodo)? Thanks.
Edit: I don't know if this makes any sense/is applicable, but I don't want to sign every file one by one, just the result .tar archive.
Well some open-source projects like the Apache Webserver give out SHA1-sums and additionally release a GPG/PGP signature. You can use gnupg for that which is free.
You create a key-pair and share the public-key (on the website or with a key-server like http://pgp.mit.edu/) and keep the private-key on your side. The private-key is used for signing the .tar and your users can then verify the .tar with the public-key.
Just generate an sha1 hash of the archive using the unix command line tool sha1sum filename.tar or any other program or tool that generates hashes. Then when you offer your file for download also list the output of that command, and once users download the archive they can do the same thing and if the outputs match, the files are the same.
Related
I am developing a Chrome extension for my company. The extension uses Chrome native messaging, so I am using Wix to create an installer for the host application (Just copy the binary and write a specific registry).
The native host application needs a configuration file, because the host application is performing crypto operations and in order to do that, the user needs to provide his pkcs12 keystore with signing certificates.
My first thought was to create the configuration file during installation. User would provide a path to his keystore file, the installer would write that path into the config file and copy it into the installation directory next to the host binary. I was searching the internet for hours just to find out it is not possible to select a file using Wix, only a directory.
My question is, is this actually true and there is really no way of doing this, and if so, what would you suggest? It's not very user-friendly to ask users to copy their keystore into a particular location. My second idea was to just put a text field and tell the user to fill in the path to their keystore file, but that isn't user-friendly either.
Thank you for all your suggestions
Universal Windows apps are in .appx file, which is simply a zip of a bunch of files and metadata. Most of the metadata files are extensively documented on the Microsoft website and are trivial to parse and/or regenerate. However AppxSignature.p7x remains a mystery.
From this diagram (source):
AppxSignature.p7x should have hashes of the AppxBlockMap.xml, content & directory hashes, and a signature. However I cannot find any documentation of the AppxSignature.p7x file itself. Ideally I would like to use an alternative tool to produce and verify this signature, e.g. openssl/gnutls or similar. A practical use for this is to update and repackage apps on Linux, and prepare .appxupload file for the Windows Store.
As described in the blog post you link to, the AppxBlockMap.xml file stores cryptographic block hashes for every file in the package. This file is verified and secured with a digital signature when the package is signed using authenticode.
So, on windows, you have two tools:
MakeAppx.exe that creates the package (.zip format) and the blockmap file at the same time. This is important, as what's in the block map corresponds closely to the .zip file bits, you can't just any zipping tool for this step, you must program the zip/app package creation using some ZIP API.
SignTool.exe that adds the signature to the package using "standard" authenticode.
With the Windows API you can do the same as MakeAppx using the
Packaging API and you can do the same as SignTool using The SignerSign function.
The whole MakeAppx process is not documented IMHO, but the blockmap schema is in fact described here: Package block map schema reference which is relatively easy to understand.
The Authenticode signature for PE document is documented here: Windows Authenticode Portable Executable Signature Format
But it's only for PE (.dll, .exe, etc.) files (note it's also possible to sign .CAB files), and I don't think how SignerSign builds AppxSignature.p7x is documented. However, there is an open source tool here that does it here: https://github.com/facebook/fb-util-for-appx. You will notice this file https://github.com/facebook/fb-util-for-appx/blob/master/PrivateHeaders/APPX/Sign.h that declares what should be used as input for signing. I have no idea where they got that information.
The P7X format is just 0x504B4358 ("PKCX") followed by PKCS #7 data in the DER format. DER is described by ASN.1.
What methods exist to include parameters (such as userid) into the setup.exe that users download from a server?
I'm looking for a way to give a customized installer to users that I already know (because they are logged in).
Is your question tied with some technology/installation system? Or you are researching which installation system to use to achieve this functionality?
In NSIS there is option to append custom data to installer, see this article: http://nsis.sourceforge.net/ReadCustomerData.
Maybe the easiest would be to send a setup_whateverparameter.exe filename instead of setup.exe...
A smarter approach would probably be to store parameter into a ressource file which would be edited from command line with some tool like http://www.reseditor.com/
Another one would be to generate a sort of INI file which would be packed with the original setup file using some installer software like Inno Setup (http://www.jrsoftware.org/isinfo.php) and the original installer would be configured to check if some ini file exists in a temporary location, to just use its content to do specific tasks.
Other possibilities might exists, thoses are just the one which might be the most easy to implement.
#elfrancesco hinted at Ninite and Patrick from Ninite got back to me with:
We put the installer id in a segment of the .exe that doesn't get
included in the hash for the signature. So we just sign our loader
.exe once whenever we update it and then our web server drops in the
key for each download.
My installer build "signs" a DLL using a Code Signing certificate during the build process.
I've noticed that if I try to build twice in succession, the second build fails because the DLL is already signed so signcode chokes. Obviously I can fix this by signing a copy of the DLL in the build, but the problem intrigued me:
Is it possible to "unsign" a DLL, and if not, why not...?
signtool remove /s C:\path\to.exe.or.dll
signtool is available in Windows SDK, and must be at least from Windows 8 SDK kit (version 6.2.9200.20789) to have the remove command supported.
You can use delcert.exe from the this XDA Forum post.
here is a small tool that strips (removes) digital sign (Authenticode)
from PE executable files like *.exe, *.dll, *.mui, etc.
It's fairly easy to remove the signature from a .dll file using the ImageRemoveCertificate API.
You don't have any language specified in your tags but this article shows how to implement it in C#. Remove digital signature from a file using C#
Other than that, if you are looking for a simple tool to do the work for you, you can use FileUnsigner.
Another possible option is to switch to the SignTool.exe. It comes with the Windows SDK and signing a binary that has already been signed does not generate an error. I use signtool.exe in my build process and haven't any difficulties with it, even when something is already signed.
Also, check out the question What's the main difference between signcode.exe and signtool.exe?
Sure it's possible, but not trivial.
Although it would be easier to save a copy of the presigned DLL.
This digital signature is little more than an extra section appended to the end of a PE file. You could write a program that deleted the signature, if you want.
It's not quite as simple as truncating the file; you have to remove references to the signature in the file header. It could get complicated if the DLL has multiple signatures and you just want to remove one.
The format of a PE file is publicly documented here
Check if your build tool supports "Re-signing". This should replace all existing signatures.
If not, you can use Stud_PE to remove the signature block.
Open the DLL or EXE in Stud_PE, go to the sections tab, right click the digital signature section and select "Delete section". However, this needs user interaction. Old versions of the tool could destroy the file.
I have some huge images in a folder on the web version of Dropbox that I need to make a shell script to download them one by one (There isn't enough room on my SDD and can't download the whole folder). I know using "wget" I can download a file:
wget link_to_the_file
However since I have many images it is not feasible to get the download link of each of them manually. I'm looking for a way of obtaining downloading link for each of them through the shell. Any suggestions?
Dropbox offers an API you can use to write a program to list and download multiple files.
For instance, you can use /2/files/list_folder[/continue] to list files, and then use /2/files/download to download them.
Those are links to the HTTPS endpoints, but there are corresponding native methods in the official SDKs, if you want to use one of those.