Verifying the integrity/lineage of a file
Peter Pearson
pkpearson at nowhere.invalid
Fri Aug 31 13:18:04 EDT 2018
On Fri, 31 Aug 2018 08:36:52 -0600, Malcolm Greene <python at bdurham.com> wrote:
> I have use case where I need to distribute binary files to customers and
> want to provide a way for our customers to verify the
> "integrity/lineage" (I know there's a better description, but can't
> think of it) of these files, eg. to give them the confidence that the
> files in question are from me and haven't been altered.
[snip]
This is exactly what digital signatures are for. GPG is free, and will
serve as well as anything. Generate a public/private key pair, email
the public key to the customer, and phone the customer to compare key
"fingerprints" to verify that the key hasn't been altered in transit
(very unlikely, but cryptologists are a cautious bunch).
Just using HMAC requires sharing a secret with the customer, which
means that you have to trust the customer not to forge authentications.
A real digital signature avoids this problem by separating the signing
key (your private key) from the verifying key (the public key).
--
To email me, substitute nowhere->runbox, invalid->com.
More information about the Python-list
mailing list