Verifying the integrity/lineage of a file
Thomas Jollans
tjol at tjol.eu
Fri Aug 31 11:12:11 EDT 2018
On 2018-08-31 16:36, Malcolm Greene wrote:
> I have use case where I need to distribute binary files to customers and
> want to provide a way for our customers to verify the
> "integrity/lineage" (I know there's a better description, but can't
> think of it) of these files, eg. to give them the confidence that the
> files in question are from me and haven't been altered.
> Here's the methods I can think of using Python:
>
> 1. Use hashlib to hash each file (SHA256)+ and send the hashes
> separately for verification2. Use hmac to sign each file
> 3. Use a 3rd party crypto library to sign each file and use a set of
> public/private SSH keys for verification
> Any suggestions on techniques and/or libraries appreciated.
>
> Thank you,
> Malcolm
>
The two most common methods used in open source projects are checksums
(that you could generate with hashlib) and GPG signatures. Often (e.g.
[1]) these are combined: provide a signed list of checksums.
[1] http://cdimage.ubuntu.com/ubuntu/releases/bionic/release/
What you're describing sounds like a good use of GPG/PGP signatures.
Just sending hashes leaves open the question of the integrity of the
message containing the hashes, but it's certainly the simplest solution.
I'm not qualified to comment on HMAC.
More information about the Python-list
mailing list