Hello, all. I've just committed import of libgcrypt and implementation of related code to check signatures. Short usage: verify_detached FILE FILE.sig [pubkey.gpg] trust KEY.gpg distruct KEYID check_signatures=[enforce|no]
grub-mkimage -k KEY gcry_dsa verify [...] When check_signatures=enforce every time anthing tries to open a file its signature (file.sig) is looked for and the open fails if signature is absent or invalid. Some limitations: 1) DSA keys only. RSA is more tricky since it needs padding and RSA should be progressively phased out, not put into new places due to some vulnerabilities (large classes of semiprimes are factorisable up to the point when a lot of care has to be taken to avoid them). 2) Not efficient. Checking every file is slow. Some hashlists should be implemented. 3) Not efficient. File is read twice though it's avoidable in many cases. -- Regards Vladimir 'φ-coder/phcoder' Serbinenko
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
