www.gryphel.com/c/minivmac/extras/sigcheck - feedback

SigCheck *Alpha*


Download

sigcheck-0.2.0.zip (119K) a zipped hfs disk image and checksum file. The disk image can be mounted with Mini vMac. Includes source code.

SigCheck is a tool for checking the digital signatures throughout this website. (The SigWrite tool can write such signatures.) It is descended from code in MacPGP, and is generally compatible with it, but it is easier to legally distribute, since it doesn’t do cryptography. Since it only does one thing it should also be easier to use. It is still in development, and its behavior will likely change before it is finished.

Screenshot

To use SigCheck, launch the application, and in the editing window that appears, paste in a signed message. For example, here is a checksum for the SigCheck download, signed with Gryphel Key 1, the main public key for the Gryphel Project:

-----BEGIN PGP SIGNED MESSAGE-----

fc2af6759f1f01c856ec5740c1154043 sigcheck-0.2.0.zip

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBWlySBtiugru7WJg5AQGVywP+LkQH6lXXfW2V/9xr5uo+nDXs8hck+0zR
xvHJ1Jx/LN0baTQhPSEEJnTBhmFLBjlS7hzWjGcG172ZR6TagJtJRDYLQ7VRmD5l
9zu4YW4FgPYavi1eqE1JYKfRyv8q00hAj8+Tv6PFGE9BIyKHp75CJf3Yp3jxoy2R
dZls5M0ev7E=
=9jQL
-----END PGP SIGNATURE-----

To get text into the emulated Macintosh, you can use ClipIn.

Then click on the rectangle below the editing area. (Choosing the ‘Go’ command from the File menu, of the emulated Macintosh, will also work.)

The editing area is cleared. Next paste in the public key for the signed message. For this example, Gryphel Key 1:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6

mQCPA0FHd0kAAAEEAMhvsNBehhdvSMGZ+1F7SxesCIgm/kMn0c+Sns7H7364Mnb1
NaqR5YaIhwDrQ1fy3Yp/95WBpBhLlLQ+8T7hyd8UViU0hrdPIKyHI5bo0iKCj3ZE
J4zQzZ+motMBlsBX0AtVSrTcPSFF6v89gzel4sU+mF08zQEY5Niugru7WJg5ABEB
AAG0HlBhdWwgQy4gUHJhdHQsIHd3dy5ncnlwaGVsLmNvbQ==
=T3a0
-----END PGP PUBLIC KEY BLOCK-----

Before continuing, it would be a good idea to set Mini vMac to All Out speed. Then, on a modern computer, SigCheck should take less than a second to run. At 1x speed, or on a real Macintosh Plus, it takes much longer. The code of SigCheck is intended to be simple to understand and maintain, as opposed to fast.

Now, click on the rectangle below the editing area. If all is well, you should get an alert saying “Good signature.” Otherwise you should get an alert with some error message.

If the signature is good, you can next check that the md5 checksum in the message is correct, using Md5Im.

If SigCheck says the signature is good, that is strong evidence that the message was signed by the owner of the key. But you should be aware of a number of weaknesses:

First, the key might not belong to who you think it does. If someone has hacked the Gryphel Project website, or is intercepting all traffic between you and the website, then they can replace the keys displayed on this website as well. So you shouldn’t just get the key from the website whenever you need it, you should save your own copy. That still doesn’t protect you when you first get the key. One possible protection is to find other copies of the key on the web and compare them.

Second, the key might have been stolen. Once anyone else knows the key, it is pretty much useless. Securing information on a computer is a difficult problem. Actually, it is impossible to prove that a computer is completely secure. A computer not connected to the internet is much more likely to be secure, but that is usually impractical.

Third, the key might have been broken. The security of a key depends on the difficulty of factoring a large number into two primes. In 2009, a 768 bit key was broken. As of this writing (2018), no one has publicly broken a 1024 bit key, however there have been predictions that it would possible around now. It is quite possible that some large government organization now has that capability. Even if that is so, for most uses a 1024 bit key is probably still safe for signing. The capability would most likely be quietly used for decrypting. Forging signatures would make that capability publicly known, and so less useful.

SigCheck is in part descended from MacPGP source code, which, as far as I can tell, allows derived works for noncommercial use.

SigCheck only handles a subset of signed messages that MacPGP does. This should include all the signed checksums found on this website.

See the Compiling page for instructions on compiling SigCheck from the source code.

:

If you find SigCheck useful, please consider helping the Gryphel Project, of which it is a part.

gryphel logo, 1K
www.gryphel.com/c/minivmac/extras/sigcheck - feedback
copyright (c) 2018 C. Pratt - last update 1/14/2018