Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

suggestion: verifying bcr.zip also by checksum #499

Closed
R44D44 opened this issue Feb 10, 2024 · 14 comments
Closed

suggestion: verifying bcr.zip also by checksum #499

R44D44 opened this issue Feb 10, 2024 · 14 comments
Assignees
Labels
enhancement New feature or request

Comments

@R44D44
Copy link

R44D44 commented Feb 10, 2024

hi, after searching half an hour for an easy way to verify your releases via .sig file, i'd like to suggest to post some checksums @ the release page as well. thank you. the README.md and verifying the digital signatures does not really help me.

@chenxiaolong chenxiaolong self-assigned this Feb 11, 2024
@chenxiaolong chenxiaolong added the enhancement New feature or request label Feb 11, 2024
@chenxiaolong
Copy link
Owner

I can start adding checksums for future releases, though please note that checksums are only good for verifying if the download was corrupted.

In the unlikely event that, for example, my Github account is compromised and somebody uploads malware, the only way to know that the file is legitimate is with the digital signatures.

@R44D44
Copy link
Author

R44D44 commented Feb 12, 2024

as said i searched for "ssh verify .sig" and similar and could not find an easy way. if you know one, maybe add it to the README.md and verifying the digital signatures

@chenxiaolong
Copy link
Owner

I'm not sure if there's a user friendly GUI way to do it. But the commands from the README should work on Linux, Windows, and Mac without installing anything. (Android with the Termux app should work as well, but I haven't personally tested it.)

@R44D44
Copy link
Author

R44D44 commented Feb 18, 2024

"But the commands from the README should work on ...Windows..."
well, to me its not so easy. and sorry in case it bothers you. certainly this applies to any .sig file
"To verify the signature of the zip file, first retrieve the public key".
first: it is not obvious to me how to retrieve it. and what to do with it
second: "gpg: keyserver receive failed: No keyserver available"

@chenxiaolong
Copy link
Owner

chenxiaolong commented Feb 19, 2024

Can you post a link to the README you're looking at? There shouldn't be anything related to GPG if you're looking at the latest README. That was indeed more painful and I stopped signing with GPG after BCR version 1.30.

@R44D44
Copy link
Author

R44D44 commented Feb 22, 2024

README
i installed Gpg4win and used it unsuccessfully, also powershell with gpg --recv-key 2233C479609BDCEC43BE9232F6A3B19090EFF32C.

@chenxiaolong
Copy link
Owner

Yep, that's a really old version of the README. The latest one is at https://github.com/chenxiaolong/BCR and no longer involves GPG.

@R44D44
Copy link
Author

R44D44 commented Feb 24, 2024

back to #1
[verifying the digital signatures](verifying the digital signatures does not really help me) does not really help me.
"First save the public key to a file that lists which keys should be trusted." - how? where?

chenxiaolong added a commit that referenced this issue Mar 3, 2024
Issue: #499

Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
@chenxiaolong
Copy link
Owner

I pushed e5c5ebe to try and clarify that. The command right below that line does it.

@R44D44
Copy link
Author

R44D44 commented Mar 3, 2024

well, i am close to giving up. i dont get what you are trying to say. "The command right below that line does it." does what?
i opened powershell window in the directory where BCR-1.60-release.zip. + zip.sig are located.
i paste
echo 'bcr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDOe6/tBnO7xZhAWXRj3ApUYgn+XZ0wnQiXM8B7tPgv4' > bcr_trusted_keys enter
no reaction
i paste ssh-keygen -Y verify -f bcr_trusted_keys -I bcr -n file -s BCR-1.60-release.zip.sig < BCR-1.60-release.zip enter and get

At line:1 char:85
+ ... bcr_trusted_keys -I bcr -n file -s BCR-1.60-release.zip.sig < BCR-1.6 ...
+                                                                 ~
The '<' operator is reserved for future use.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : RedirectionNotSupported

@chenxiaolong
Copy link
Owner

You did everything right. Looks like I find a Windows machine to figure out why powershell doesn't like the command.

chenxiaolong added a commit that referenced this issue Mar 4, 2024
Issue: #499

Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
@chenxiaolong
Copy link
Owner

Got access to a Windows system. I've updated the README so that the instructions now work on Windows: https://github.com/chenxiaolong/BCR#verifying-zip-file-signature.

@R44D44
Copy link
Author

R44D44 commented Mar 4, 2024

i used copy function of it, pasted it into powershell and got

PS D:\Eigene Dateien\pcloud\Androidessentials> echo 'bcr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDOe6/tBnO7xZhAWXRj3ApUYgn+XZ0wnQiXM8B7tPgv4' | Out-File -Encoding ascii bcr_trusted_keys
>>
>> Start-Process -Wait -NoNewWindow -RedirectStandardInput BCR-<version>-release.zip ssh-keygen -ArgumentList "-Y verify -f bcr_trusted_keys -I bcr -n file -s BCR-<version>-release.zip.sig"
Start-Process : This command cannot be run because either the parameter "RedirectStandardInput 'D:\Eigene
Dateien\pcloud\Androidessentials\BCR-<version>-release.zip'" has a value that is not valid or cannot be used with this
command. Give a valid input and Run your command again.
At line:3 char:1
+ Start-Process -Wait -NoNewWindow -RedirectStandardInput BCR-<version> ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Start-Process], FileNotFoundException
    + FullyQualifiedErrorId : FileNotFoundException,Microsoft.PowerShell.Commands.StartProcessCommand

@R44D44
Copy link
Author

R44D44 commented Mar 4, 2024

why dont you just post additional checksums as you said 3 weeks ago
testing code starts to annoy me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants