Hi, I am trying to use the grub verify module to verify a detached signature I signed using gpg on Linux. I did two different signings. Both of them failed, but at the different places in grub_verify_signature(). I am wonder if I did something wrong or the module has some bugs in it. Let me detail my procedure here. The text file, signature file and my public key are all attached.
Signing Approach 1
-----------------------
On my Ubuntu system, say I want to detached sign myfile.txt
> gpg --detach-sign myfile.txt
It creates the signature file myfile.txt.sig. I noticed it uses ripemd160 hash
algorithm. Then I export my public key as
> gpg --output my.pubkey --export 'w...@moka5.com'
The my.pubkey file contains my public key. Then I create a grub rescue cd
image with all these three file myfile.txt myfile.txt.sig and my.pubkey.
> grub-mkrescue -o image.iso ./myfile.txt ./myfile.txt.sig ./my.pubkey
After this, I booted the image and at the grub prompt I did
grub > verify_detached /myfile.txt /myfile.txt.sig /my.pubkey
It returns bad signature in grub_verify_signature() after following line:
...
hash->final (context);
grub_dprintf ("crypt", "alive\n");
hval = hash->read (context);
if (grub_file_read (sig, hash_start, sizeof (hash_start)) != sizeof
(hash_start))
return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
if (grub_memcmp (hval, hash_start, sizeof (hash_start)) != 0)
return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
<-- - failed here
My understanding is it calls ripemd160 algorithm to verify a two byte hash
value and it failed. So I try to change the algorithm using in gpg for hashing
as follows:
Signing Approch 2
---------------------
I just sign the myfile.txt with sha512 like this:
> gpg --digest-algo sha512 --detach-sign myfile.txt
It creates a myfile.txt.sig file. Then a created the iso image and boot just as
in approach 1.
grub > verify_detached /myfile.txt /myfile.txt.sig /my.pubkey
This time I went much further in grub_verify_signature(). It seem failed at
last when calling dsa verify routine:
unsigned nbits = gcry_mpi_get_nbits (sk->mpis[1]);
grub_dprintf ("crypt", "must be %u bits got %d bits\n", nbits,
(int)(8 * hash->mdlen));
<---- Here debug output is: must be 17 bits got 512 bits
....
if (!grub_crypto_pk_dsa)
return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("module `%s' isn't
loaded"), "gcry_dsa");
if (grub_crypto_pk_dsa->verify (0, hmpi, mpis, sk->mpis, 0, 0))
<------ failed here.
return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
So I guess I was not doing right somewhere? Have you tested this verification
module? The grub_dprintf() output (expecting 17bits but got 512 bits) is very
suspicious.
For this Verify module to work, what tool and what procedure should I follow to
sign a file?
Thanks so much,
WeiThis is my file.
myfile.txt.sha512.sig
Description: myfile.txt.sha512.sig
myfile.txt.ripemd160.sig
Description: myfile.txt.ripemd160.sig
my.pubkey
Description: my.pubkey
_______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
