文件签名及校验方法

概述: 

      在上网下载镜像或安装文件时经常会看到MD5,SHA-1,SHA-256 ,signature,一起显示,这些文件帮助我们验证下载的文件是否损坏或者被篡改以及文件的真实性, 散列值可以使用windows, macOS,Linux内置命令进行验证。 文件签名可以使用工具gpg进行校验。

校验:

   完整性校验:

     通过文件散列来判断文件下载或移动后,是否有损坏, 可以用MD5, SHA1,SHA256,SHA224, SHA384等。我平时工作中用到的是MD5,判断相关版本文件是否修改。

LINUX:

    1. md5sum,sha1sum, sha256sum
md5sum /path/to/file
sha1sum /path/to/file
sha256sum /path/to/file

 WINDOWS:

    1. certutil
certutil -hashfile yourfilenameaddress MD5

certutil -hashfile yourfilenameaddress SHA1

certutil -hashfile yourfilenameaddress SHA256

     2. Get-FileHash(需要使用windows Powershell)

Get-FileHash C:\path\to\file.iso -Algorithm MD5
Get-FileHash C:\path\to\file.iso -Algorithm SHA1
Get-FileHash C:\path\to\file.iso -Algorithm SHA256
Get-FileHash C:\path\to\file.iso -Algorithm SHA384
Get-FileHash C:\path\to\file.iso -Algorithm SHA512
Get-FileHash C:\path\to\file.iso -Algorithm MACTripleDES
Get-FileHash C:\path\to\file.iso -Algorithm RIPEMD160

macOS:

    1. md5 ,shasum

md5 /path/to/file

shasum /path/to/file

shasum -a 1 /path/to/file

shasum -a 256 /path/to/file

 

  真实性校验:

          使用gpg工具 , 主要分为两步 1:导入公钥  2:验证。 如果需要去掉警告信息可以设置相关公钥的trust。

 WINDOWS:

           准备:

           可以使用  Gpg4win    安装完毕后点击 应用程序(kleopatra)

           以 Linux kernel  linux-5.1.15.tar.xz包  gpg 验证签名为例,将 kernel 解压为linux-5.1.15.tar 与 linux-5.1.15.tar.sign 放到统一目录下

          验证:

          1.   文件->服务器上查找, 输入torvalds@kernel.org , gregkh@kernel.org( 5.1.5是用gregkh@kernel.org签名的);

          2.  点击 搜索->导入;

          3.  文件->解密/校验, 选择  linux-5.1.15.tar.sign

          4.  查看审核日志:

gpg: Signature made 06/25/19 11:35:48 中国标准时间
gpg:                using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
gpg: Good signature from "Greg Kroah-Hartman <gregkh@linuxfoundation.org>" [unknown]
gpg:                 aka "Greg Kroah-Hartman <gregkh@kernel.org>" [unknown]
gpg:                 aka "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

             获取以上信息:“    Good signature from "Greg Kroah-Hartman <gregkh@linuxfoundation.org>" 表面验签成功。

              去掉警告信息:

              1. 创建个人的openpgp密钥对;(需要输入密码)

              2. 在主菜单面板选择公钥->右击认证; 重新校验签名后无报警信息;       

 

gpg: Signature made 06/25/19 11:35:48 中国标准时间
gpg:                using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
gpg: Good signature from "Greg Kroah-Hartman <gregkh@linuxfoundation.org>" [full]
gpg:                 aka "Greg Kroah-Hartman <gregkh@kernel.org>" [full]
gpg:                 aka "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>" [full]

LINUX:

          使用gpg2 工具, 如果没有安装可以通过apt或yum进行安装, 以下验证环境为Centos7 :

         准备: 

         参考 Linux Kernel 网站上  signatures   , Linux kernel  linux-5.1.15.tar.xz  和对应 gpg  。 

        验证:

         1.  获取相关公钥并导入

gpg2 --search-keys gregkh@kernel.org
gpg2 --search-keys torvalds@kernel.org
gpg2 --locate-keys torvalds@kernel.org gregkh@kernel.org

        2.   验证:

        gpg2 --verify linux-5.1.15.tar.sign

        可以 看到对应私钥的fingerprint 确定签名是否正确。 

[root@centosgpt srv]# gpg2 --verify linux-5.1.15.tar.sign
gpg: Signature made Tue 25 Jun 2019 11:35:48 AM CST using RSA key ID 6092693E
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: Good signature from "Greg Kroah-Hartman <gregkh@linuxfoundation.org>"
gpg:                 aka "Greg Kroah-Hartman <gregkh@kernel.org>"
gpg:                 aka "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

      去掉警告信息:

      1.  认证导入密钥trust, 

          gpg2 --edit-key gregkh@kernel.org

      2.  输入trust,选择5 = I trust ultimately

[root@centosgpt srv]# gpg2 --verify linux-5.1.15.tar.sign
gpg: Signature made Tue 25 Jun 2019 11:35:48 AM CST using RSA key ID 6092693E
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: Good signature from "Greg Kroah-Hartman <gregkh@linuxfoundation.org>"
gpg:                 aka "Greg Kroah-Hartman <gregkh@kernel.org>"
gpg:                 aka "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>"

参考:

How to Verify a Linux ISO’s Checksum and Confirm It Hasn’t Been Tampered With

What Are MD5, SHA-1, and SHA-256 Hashes, and How Do I Check Them?

GPG - How to trust an imported key

Linux kernel signature

 

Be First to Comment

发表评论

电子邮件地址不会被公开。 必填项已用*标注