Cryptographic Sealing
Fingerprint can be used to ensure that a set of files has been delivered without manipulation, by creating a fingerprint and signing this with a private key. The fingerprint and associated files can later be verified using the public key.
Generating Keys
To sign fingerprints, the first step is to create a private and public key pair. This is easily achieved using OpenSSL:
-- Create a private key, which you must keep secure.
$ openssl genrsa -out private-signature.pem 2048
<span class="stderr">Generating RSA private key, 2048 bit long modulus</span>
<span class="stderr">.............+++</span>
<span class="stderr">........+++</span>
<span class="stderr">e is 65537 (0x10001)</span>
-- Create a public key, which can be used to verify sealed fingerprints.
$ openssl rsa -in private-signature.pem -pubout -out public-signature.pem
<span class="stderr">writing RSA key</span>
Signing Fingerprints
After you have generated a fingerprint, you can sign it easily using the private key:
-- You can replace '._index.signature' and '._index.fingerprint' with whatever names you have used.
-- We assume here that you are using fingerprint -a to generate fingerprints.
$ openssl dgst -sha1 -sign private-signature.pem -out ._index.signature ._index.fingerprint
Verifying Fingerprints
You can easily verify the security of the fingerprint data:
$ openssl dgst -sha1 -verify public-signature.pem -signature ._index.signature ._index.fingerprint
Verified OK
-- Fingerprint data has been cryptographically verified
$ fingerprint -v
S
error.count 0
<span class="stderr">Data verified, 0 errors found.</span>
-- File list has been checked and no errors.
As long as private key is kept secure, we can be sure that these files have not been tampered with.