Digitally Sign tar.gz file - digital-signature

I need to digitally sign a tar.gz file, and have no idea how to do it. I understand the concept, and I know how to sign a jar/zip file. But I cannot find a way that will work with a tar.gz file.
Can anyone point me in the right direction, or tell me why this cannot be done?
Thanks!

One of the options is to use detached signature using an OpenPGP key or X.509 certificate. Both GnuPG and OpenSSL should be able to produce detached signatures. Of course, you will get a separate file with the signature, but this is the only viable option, as for me.

Related

Why is the id_rsa.pub file a .pub file?

The id_rsa.pub file is basically some encrypted text in the .ssh folder under the home folder in Linux and is used for public-key cryptography. It uses the .pub file format. But why does this file format also happen to be the file extension for Microsoft Publisher? Microsoft Publisher isn't involved with this kind of encryption in any way, so why does id_rsa.pub also use .pub? Also, how do computer program distinguish between these uses?
Nobody enforces file extension choices.
The file extension .pub was selected for a public key because it is short for public.
The file extension .pub was selected for a Microsoft Publisher document because it is short for Publisher.
That they conflict is unfortunate.
There is no central registry for file extensions, so many extensions are re-used by different applications.
A better system for figuring out 'what type is this file' is probably not an extension, but a mime-type. But because there's no standard way for a file to say 'I am this mimetype' and that information to be carried along with the file, systems end up using extensions for this and sometimes there's a collision.

How do you encrypt a .mp3 audio file?

I've recorded an interview as an .mp3 file and would like to send this file to someone over email. Because the contents of the interview needs to remain confidential, I need to find some way to encrypt it.
I tried zipping an audio file with the 7-zip program, and encrypting the zipped package, but when I tested this by sending the audio file to two friends (along with the password), one person got the message "an error occurred" and another got the message "unable to open this file."
I found this website, which seems promising, but it is way too technical for me. Does anyone know of a simple way to encrypt audio files?
7-zip can encrypt a file while compressing, not after. Just add a password while you're making the .7z file. (Note that mp3 files won't compress much, if at all. You're just using 7-zip for its encryption).
You could also use PGP, if the person you're sending the file to has given you (or registered) a public key. PGP is a higher level of security than most zip programs.

What Good is Sharing Security Keys along with Downloads

Sometimes I see a list of keys along with a download that I believe are meant to verify if a downloaded file is legit. For example here
http://cdimage.ubuntu.com/releases/12.04/release/
There are SHA1 sums at the end of the download page.
I assume the process is, you download file, verify it using these sums. However, if someone hacked the page and installed a modified version of download files, wouldn't they change the SHA sums as well? Then what is the purpose of sharing the sums / keys along with downloads?
"That they can also be used to verify the integrity of the dl, check if your file wan't corrupted, and to verify authenticity of remote mirrors" are good enough for me.

ilmerge with a PFX file

It would appear that VS2012 uses PFX files for signing instead of SNK files. I get the impression this is related to delayed signing; but I don't care.
When I build my application, I can use "sn -tp <my assembly>" and see it is signed.
When I ilmerge the debug folder and use the /keyfile directive (the way I was successfully doing with SNK files), the DLLs merge into one unsigned DLL.
I have read articles suggesting clever workarounds, such as extracting the public key from the original DLL and then using this in the /keyfile directive...which also failed to allow me to create a strongly signed DLL.
So, what do I need to do to get ilmerge to work with the PFX file so that my assembly will be strongly typed?
Thanks
I recently was attempting to do just the same thing (this time with VS 2015, but I am sure the results are the same).
PFX files are password-protected by default and ILMerge (at the time of this writing) does not appear to support them.
Manual Signing
The "clever workaround" as you describe it is presented here, and it appears to be the only way to accomplish this:
>sn -p some.pfx some.pub
>ilmerge /keyfile:some.pub /delaysign /out:merged\some.dll some.dll
>sn -R merged\some.dll some.pfx
Note that extracting the public key from the PFX file requires user input - allegedly it was previously possible to pipe in the password, but the current version of sn.exe does not permit console redirection.
Automated (CI Build System) Signing
In order to strong sign ILMerged assemblies in an automated way, it is necessary to install they key on the local build machine. This still requires user input in the form of password input, but only has to be done once per build machine.
As before, we need to extract the public key from the PFX file (this only has to be done once, and the PUB file can be saved alongside the PFX or even checked-in to source).
Here is the one-time setup code (both require password input):
>sn -p some.pfx some.pub
>sn -i some.pfx SomeContainerName
During the automated build, it is now possible to run:
>ilmerge /keyfile:some.pub /delaysign /out:merged\some.dll some.dll
>sn -Rc merged\some.dll SomeContainerName

generated a rsa key with keytool - where is it?

I created a RSA key pair using keytool, but I need to get the public key.
I've read all around but can't find this information anywhere.
Is there a way to get that information? Or even where are the files located in windows 7?
Any suggestion will help..
thanks!
The key is stored under your user directory.
If you're on Windows it's under Users/ragalante/.keystore.

Resources