В Thu, 28 Mar 2013 16:15:09 -0700
Wei Hu <w...@mokafive.com> пишет:
> Hi,
>
> I am trying to use the grub verify module to verify a detached signature I
> signed using gpg on Linux. I did two different signings. Both of them failed,
> but at the different places in grub_verify_signature(). I am wonder if I did
> something wrong or the module has some bugs in it. Let me detail my procedure
> here. The text file, signature file and my public key are all attached.
>
> Signing Approach 1
> -----------------------
>
> On my Ubuntu system, say I want to detached sign myfile.txt
>
> > gpg --detach-sign myfile.txt
>
> It creates the signature file myfile.txt.sig. I noticed it uses ripemd160
> hash algorithm. Then I export my public key as
>
> > gpg --output my.pubkey --export 'w...@moka5.com'
>
> The my.pubkey file contains my public key. Then I create a grub rescue cd
> image with all these three file myfile.txt myfile.txt.sig and my.pubkey.
>
> > grub-mkrescue -o image.iso ./myfile.txt ./myfile.txt.sig ./my.pubkey
>
> After this, I booted the image and at the grub prompt I did
>
> grub > verify_detached /myfile.txt /myfile.txt.sig /my.pubkey
>
> It returns bad signature in grub_verify_signature() after following line:
> ...
> hash->final (context);
> grub_dprintf ("crypt", "alive\n");
> hval = hash->read (context);
> if (grub_file_read (sig, hash_start, sizeof (hash_start)) != sizeof
> (hash_start))
> return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
>
> if (grub_memcmp (hval, hash_start, sizeof (hash_start)) != 0)
> return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
> <-- - failed here
>
> My understanding is it calls ripemd160 algorithm to verify a two byte hash
> value and it failed.
Yes, fails here as well. Adding debug output, it reads correct bytes at
correct offset from signature, but the first two bytes of hval differ.
> So I try to change the algorithm using in gpg for hashing as follows:
>
> Signing Approch 2
> ---------------------
>
> I just sign the myfile.txt with sha512 like this:
>
> > gpg --digest-algo sha512 --detach-sign myfile.txt
>
> It creates a myfile.txt.sig file. Then a created the iso image and boot just
> as in approach 1.
>
> grub > verify_detached /myfile.txt /myfile.txt.sig /my.pubkey
>
> This time I went much further in grub_verify_signature(). It seem failed at
> last when calling dsa verify routine:
>
> unsigned nbits = gcry_mpi_get_nbits (sk->mpis[1]);
> grub_dprintf ("crypt", "must be %u bits got %d bits\n", nbits,
> (int)(8 * hash->mdlen));
> <---- Here debug output is: must be 17 bits got 512 bits
> ....
> if (!grub_crypto_pk_dsa)
> return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("module `%s' isn't
> loaded"), "gcry_dsa");
> if (grub_crypto_pk_dsa->verify (0, hmpi, mpis, sk->mpis, 0, 0))
> <------ failed here.
> return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
>
>
> So I guess I was not doing right somewhere? Have you tested this verification
> module? The grub_dprintf() output (expecting 17bits but got 512 bits) is very
> suspicious.
>
> For this Verify module to work, what tool and what procedure should I follow
> to sign a file?
>
> Thanks so much,
>
> Wei
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
