-
-
Save ezimuel/3cb601853db6ebc4ee49 to your computer and use it in GitHub Desktop.
| #!/bin/bash | |
| # Sign a file with a private key using OpenSSL | |
| # Encode the signature in Base64 format | |
| # | |
| # Usage: sign <file> <private_key> | |
| # | |
| # NOTE: to generate a public/private key use the following commands: | |
| # | |
| # openssl genrsa -aes128 -passout pass:<passphrase> -out private.pem 2048 | |
| # openssl rsa -in private.pem -passin pass:<passphrase> -pubout -out public.pem | |
| # | |
| # where <passphrase> is the passphrase to be used. | |
| filename=$1 | |
| privatekey=$2 | |
| if [[ $# -lt 2 ]] ; then | |
| echo "Usage: sign <file> <private_key>" | |
| exit 1 | |
| fi | |
| openssl dgst -sha256 -sign $privatekey -out /tmp/$filename.sha256 $filename | |
| openssl base64 -in /tmp/$filename.sha256 -out signature.sha256 | |
| rm /tmp/$filename.sha256 |
| #!/bin/bash | |
| # Verify a file with a public key using OpenSSL | |
| # Decode the signature from Base64 format | |
| # | |
| # Usage: verify <file> <signature> <public_key> | |
| # | |
| # NOTE: to generate a public/private key use the following commands: | |
| # | |
| # openssl genrsa -aes128 -passout pass:<passphrase> -out private.pem 2048 | |
| # openssl rsa -in private.pem -passin pass:<passphrase> -pubout -out public.pem | |
| # | |
| # where <passphrase> is the passphrase to be used. | |
| filename=$1 | |
| signature=$2 | |
| publickey=$3 | |
| if [[ $# -lt 3 ]] ; then | |
| echo "Usage: verify <file> <signature> <public_key>" | |
| exit 1 | |
| fi | |
| openssl base64 -d -in $signature -out /tmp/$filename.sha256 | |
| openssl dgst -sha256 -verify $publickey -signature /tmp/$filename.sha256 $filename | |
| rm /tmp/$filename.sha256 |
Use following in sign.sh to have it fully non-interactive:
openssl dgst -sha256 -sign $privatekey -passin pass:<passphrase> -out /tmp/$filename.sha256 $filename
Thanks a lot, mate. This is very useful.
Useful! Thanks. Although I wonder why transforming binary sig to base64 and then from base64? The base64 transformation can be skipped for the purposes of this example. Also might be worth noting that public key should be a PUBLIC KEY and not a certificate. In many cases you don't generate private/public key pairs but instead you have a private key and a certificate that might be signed by a public CA. So in this case you have to extract the public key from the certificate with: openssl x509 -in -pubkey -noout > public_key.pem
@ pshterev
x509 -in -pubkey -noout > public_key.pem
I did find this command example often in internet, but for my openssl version coming along with git this does not work, i get error x509: Unknown parameter >. But I can use just "-noout" to get a print in the console, or "-out public_key.pem" to get a file.
parameter >
Do you use bash ? cmd.exe ? or an exotic shell. cmd.exe and posix shell should support redirection to file (and doesn't interpret > as parameter). If you have a posix shell check the content of the variable IFS (it should contain at least space).
This is amazing! Thank you for the article and thank you for the scripts!
I am using Code Signing feature of AWS IoT Jobs, and I was stuck on how to verify the signatures :D