www.gryphel.com/c/minivmac/extras/sigcheck - feedback


a Mini vMac Extra


sigcheck-1.1.0.zip (info) a zipped hfs disk image and checksum file. The disk image can be mounted with Mini vMac. Includes source code.

SigCheck is a tool for checking the digital signatures found throughout this website, to verify the integrity of downloads. Also, anyone can create their own signed message for SigCheck using the SigWrite tool.


To use SigCheck, launch the application, and in the editing window that appears, paste in a signed message. For example:

--------- GRY SIGNED TEXT ---------

Twas brillig, and the slithy toves
did gyre and gimble in the wabe:
All mimsy were the borogoves,
and the mome raths outgrabe.

------- BEGIN GRY SIGNATURE -------
-------- END GRY SIGNATURE --------

Copy all of the indented text above, which includes the message body, the signature, and headers and footers. Then paste it into SigCheck, which requires getting the clipboard into the emulated Macintosh, if SigCheck is run inside Mini vMac. You can get text into the emulated Macintosh using the “Host Paste” command in the Edit Menu of SigCheck. It is like the “Paste” command, except that it uses the clipboard of the real computer instead of the clipboard of the emulated computer. The keyboard shortcut is Command-Option-V. (The “Host Paste” command has similar effect to using ClipIn and then the normal “Paste” command.)

Then click on the status bar, at the bottom of the window below the editing area. (Choosing the ‘Go’ command from the File menu, of the emulated Macintosh, will also work. The keyboard shortcut is Command-G.)

The editing area is cleared. Next paste in the public key for the signed message. For this example:

------ END GRY PUBLIC KEY ------

Before continuing, it would be a good idea to set Mini vMac to All Out speed. Then, on a modern computer, SigCheck should take less than a second to run. At 1x speed, or on a real Macintosh Plus, it takes much longer. The code of SigCheck is intended to be simple to understand and maintain, as opposed to fast.

Now, click on the status bar again. If all is well, the status bar should say “Good Signature.” Otherwise you should get an alert with some error message.

If SigCheck says the signature is good, that is strong evidence that the message was signed by the owner of the public key (the person who has the corresponding secret key). But you should be aware of a number of weaknesses:

First, the key might not belong to who you think it does. If someone has hacked the Gryphel Project website, or is intercepting all traffic between you and the website, then they can replace the public keys displayed on this website as well. So you shouldn’t just get the key from the website whenever you need it, you should save your own copy. That still doesn’t protect you when you first get the key. One possible protection is to find other copies of the key on the web and compare them.

Second, the key might have been stolen. Once anyone else knows the secret key, it is pretty much useless. Securing information on a computer is a difficult problem. Actually, it is impossible to prove that a computer is completely secure. A computer not connected to the internet is much more likely to be secure, but that is usually impractical.

Third, the key might have been broken. The security of a key depends on the difficulty of factoring a large number into two primes. In 2009, a 768 bit key was broken. As of this writing (2018), no one has publicly broken a 1024 bit key, however there have been predictions that it would be possible around now. It is quite possible that some large government organization now has that capability. Even if that is so, for most uses a 1024 bit key is probably still safe for signing. The capability would most likely be quietly used for decrypting. Forging signatures would make that capability publicly known, and so less useful.

Fourth, the digest algorithm might have been broken. SigCheck computes a 40 byte digest from the message to compare with the decoded signature. I believe it to be impractical to construct another message that results in the same digest. But if someone figures out how, that would make SigCheck useless.

SigCheck is in part descended from MacPGP source code, which, as far as I can tell, allows derived works for noncommercial use.

If a file named “pub_key.txt” exists in the same folder as the application, then SigCheck will not ask for the public key, but instead get it from that file. So you can save time for a frequently used key by setting up a copy of SigCheck this way. You can save even more time by “wrapping” this copy of SigCheck with AutoQuit.

The first 12 characters in a signature after the “Gry/” (after the “BEGIN GRY SIGNATURE” line), should match the first 12 characters in the public key after the first “/”. In the above example, “AXuKqWsF8Rh5”. So if you have a text file with many public keys, you can easily search for the right key for a signature.

SigChkTl is a command line version of SigCheck.

SigCheck is a successor to PSgCheck, which uses a different format that is more or less compatible with MacPGP.

See the Compiling page for instructions on compiling SigCheck from the source code.


If you find SigCheck useful, please consider helping the Gryphel Project, of which it is a part.

gryphel logo, 1K
www.gryphel.com/c/minivmac/extras/sigcheck - feedback
copyright (c) 2018 Paul C. Pratt - last update 10/19/2018