nathanmcrae/create-file-message
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: nathanmcrae:c4b9ad3c1284a79cf690be17a529dd9ff0294f8a
Branches Tags
nathanmcrae:master
...
compare: nathanmcrae:04fdbecc1a749c648f170d3c91f16548725ddf4a
Branches Tags
nathanmcrae:master

3 Commits
c4b9ad3c12 ... 04fdbecc1a

Author SHA1 Message Date
Nathan Christopher McRae
04fdbecc1a Add readme example and some TODOs 2025-11-23 12:51:48 -08:00
Nathan Christopher McRae
1fd2c9738a Change to more generic invocation 2025-11-23 12:51:39 -08:00
Nathan Christopher McRae
e45b575af2 Move substitutions outside of printf expression 
On the advice of shellcheck
 2025-11-23 12:23:48 -08:00
2 changed files with 40 additions and 2 deletions
Expand all files Collapse all files

38
readme.txt
View File

@@ -2,6 +2,44 @@ This simple script takes a file as an argument and prompts the user for a messag
To verify that your message applies to the file they recieved, your recipient(s) would verify your signature of the script, and then run it (or merely inspect it if they don't trust you too much) which will confirm their file matches the one you wrote the message about.
Example:
I have a file foo.txt, so I run ():
`create-file-message.sh webpage.htm`
When prompted, enter the message to associate with the file.
Then sign the resulting webpage.htm.sh file
`gpg --sign webpage.htm.sh`
You will then have the following files which should be distributed together:
* webpage.htm
* webpage.htm.sh
* webpage.htm.sh.sig
Whoever wants to validate the file and the message will first import your public key, then they validate webpage.htm`
When prompted, enter the message to associate with the file.
Then sign the resulting webpage.htm.sh file
`gpg --sign webpage.htm.sh`
You will then have the following files which should be distributed together:
* webpage.htm
* webpage.htm.sh
* webpage.htm.sh.sig
Whoever wants to validate the file and the message will first import your public key, then they verify the script file with `gpg --verify webpage.htm.sh`, finally they run `./webpage.htm.sh` which will check whether the target file matches the stored hash and if so will display the message.
TODO: example of making it a function in your profile
TODO: guix package
Motivation:
Signing a file typically means "I authored this", but sometimes you want to sign something else, for example to indicate that you retrieved something on a given date.

4
verify-script.template
View File

@@ -1,11 +1,11 @@
#! /bin/bash
#!/bin/env sh
MESSAGE="{message}"
FILE="{filename}"
EXPECTED_HASH="{filehash}"
if [ "$(sha256sum "$FILE" | awk '{print $1}')" = "$EXPECTED_HASH" ]; then
printf "File $FILE validated with message:\n$MESSAGE"
printf "File %%s validated with message:\\n%%s" "$FILE" "$MESSAGE"
exit 0
else
echo "File $FILE is not valid"