Code:
App: FXSignVerifier, A Signature Verifier For FMXInno
Date: 2024-June-16
Compiler: Zig v0.12.1
From now on, every FMXInno update attachment will be signed with a
digital signature to verify that the update comes from a trusted source (in this case, me) and has not been tampered with.
So, what's the actual big deal with
digital signing over
checksum? Is a checksum not enough?
Checksum:
Quote:
1. No, a checksum is not enough. A checksum is used to verify the integrity of a file. It ensures that the file has not been corrupted or altered during transmission or storage.
2. Checksums are not secure against intentional tampering because if someone alters the file, they can also recompute the checksum.
3. Additionally, a checksum doesn't ensure that the file is coming from the original author (a trusted source).
|
Digital Signature:
Quote:
1. That's why digital signing comes in handy. A digital signature provides both integrity and authenticity. It ensures that the file has not been corrupted or altered and verifies the identity of the author.
2. Digital signatures are much more secure. They provide strong guarantees against tampering and forgery because the private key is known only to the signer (author).
3. They ensure the origin of the file (authenticity) and protect against modifications/corruptions (integrity).
|
Usage:
Code:
FXSignVerifier.exe [-s sig_file] <-k pubkey> <-i file>
* You'll find the signature file and the public key for the latest version of FMXInno (2024-June-10) (.rar).
* The signature file will look like this:
Quote:
-----BEGIN SIGNATURE-----
Signature: signature from private key
RUTMYX9YetwBhHoWjuISrHpxLpFyXg2XiG02ff4cknKQU/6CAGlDsEIzuptvOLwACYfwEZhxNU9BRs4Kk78+obqIjcAPLkXU uQI=
Trusted: timestamp:1718633776, file:FMXInno + SKIA + Blend2D - Final Release [2024-June-10].rar, prehashed
3k+phFDdOLHstaec5OdCDUgQ2mEtZj1x4wpLkRPxGadrhSLovK 7TCBvb8Utsxj4JcYyxHkAjP0BbTBAVFRNzBA==
------END SIGNATURE------
|
.