47 lines
2.3 KiB
Plaintext
47 lines
2.3 KiB
Plaintext
This simple script takes a file as an argument and prompts the user for a message. Then a new script is created alongside the target file as {filename}.sh which has the message and file hash embedded. You would then sign the script file and distribute all three.
|
|
|
|
To verify that your message applies to the file they recieved, your recipient(s) would verify your signature of the script, and then run it (or merely inspect it if they don't trust you too much) which will confirm their file matches the one you wrote the message about.
|
|
|
|
Example:
|
|
|
|
I have a file foo.txt, so I run ():
|
|
|
|
`create-file-message.sh webpage.htm`
|
|
|
|
When prompted, enter the message to associate with the file.
|
|
|
|
Then sign the resulting webpage.htm.sh file
|
|
|
|
`gpg --sign webpage.htm.sh`
|
|
|
|
You will then have the following files which should be distributed together:
|
|
|
|
* webpage.htm
|
|
* webpage.htm.sh
|
|
* webpage.htm.sh.sig
|
|
|
|
Whoever wants to validate the file and the message will first import your public key, then they validate webpage.htm`
|
|
|
|
When prompted, enter the message to associate with the file.
|
|
|
|
Then sign the resulting webpage.htm.sh file
|
|
|
|
`gpg --sign webpage.htm.sh`
|
|
|
|
You will then have the following files which should be distributed together:
|
|
|
|
* webpage.htm
|
|
* webpage.htm.sh
|
|
* webpage.htm.sh.sig
|
|
|
|
Whoever wants to validate the file and the message will first import your public key, then they verify the script file with `gpg --verify webpage.htm.sh`, finally they run `./webpage.htm.sh` which will check whether the target file matches the stored hash and if so will display the message.
|
|
|
|
TODO: example of making it a function in your profile
|
|
|
|
TODO: guix package
|
|
|
|
Motivation:
|
|
|
|
Signing a file typically means "I authored this", but sometimes you want to sign something else, for example to indicate that you retrieved something on a given date.
|
|
|
|
However, just signing the file can't really convey that meaning. There are probably plenty of potential formats that could deal with this, but one very simple method is to create a bash file associated with the file you want to attest and have a message + file hash embedded in the script. Then you can sign the script which ties the message to the specific version of the file. Whoever recieves the trio of files would verify the script with the signature, then run the script which would output the message if the target file matches the embedded hash. |