Project

General

Profile

Actions

Architecture #6480

closed

Create a script to sign files using openssl on windows

Added by Benoît PECCATTE over 9 years ago. Updated over 9 years ago.

Status:
Rejected
Priority:
3
Assignee:
Matthieu CERDA
Category:
Agent
Target version:
Effort required:
Name check:
Fix check:
Regression:

Description

Usage would be ./signature.cmd file
It would use cfengine keys and create a file.sign

Actions #1

Updated by Benoît PECCATTE over 9 years ago

  • Parent task set to #6355
Actions #2

Updated by Benoît PECCATTE over 9 years ago

  • Tracker changed from Enhancement to Architecture
Actions #3

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.0.4 to 3.0.5
Actions #4

Updated by Nicolas CHARLES over 9 years ago

Why is the target 3.0 ?

Actions #5

Updated by Matthieu CERDA over 9 years ago

  • Assignee changed from Nicolas CHARLES to Benoît PECCATTE
  • Priority changed from N/A to 3
  • Target version changed from 3.0.5 to 3.1.0~beta1

First script iteration (won't work yet, still wip):

IF EXIST "C:\Program Files\Rudder\sbin\openssl\openssl.exe" (
  REM OpenSSL is here, all good.
) else (
  echo "ERROR: No OpenSSL detected. Bailing out" 
  quit
)

REM md4 md5 sha sha1 sha224 sha256 sha384 sha512 whirlpool
REM The oldest openssl we support is 0.9.8 and it supports sha512
SET HASH=sha512

REM the file to sign
SET FILE="%1" 

IF EXIST %FILE% (
  echo HERE
) else (
  echo NOTHERE
)

REM the key to use for signature
SET PRIVKEY=localhost.priv

REM cfengine  passphrase
SET PASSPHRASE="Cfengine passphrase" 

REM Create signature
SET SIGNATURE=$(openssl dgst -passin "pass:%PASSPHRASE%" -%HASH% -hex -sign "%PRIVKEY%" -in "%FILE%" 
REM| sed -e 's/.*= //')

REM Create a signature FILE
echo header=rudder-signature-v1 algorithm=%HASH% digest=%SIGNATURE%
REM > %1.sign

Actions #6

Updated by François ARMAND over 9 years ago

  • Assignee changed from Benoît PECCATTE to Matthieu CERDA

Matthieu, could you take that one on you side, since you came back before it was possible to do it ?

Thanks,

Actions #7

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.0~beta1 to 3.1.0~rc1
Actions #8

Updated by Vincent MEMBRÉ over 9 years ago

  • Parent task deleted (#6355)
Actions #9

Updated by Matthieu CERDA over 9 years ago

  • Status changed from New to In progress
Actions #10

Updated by Matthieu CERDA over 9 years ago

  • Status changed from In progress to Rejected

The work on this part is finished, and will be included as part of the Windows packaging.

For future reference, the script is:

# Argument definition

## -file: defines the file to be signed
Param ( [string]$file )

# Variables

## OpenSSL binary
$openssl="C:\Program Files\Rudder\sbin\openssl\openssl.exe" 

## Key to use for signature
If ( Test-Path "C:\Program Files\Cfengine\ppkeys\localhost.priv" )
{
 $privkey="C:\Program Files\Cfengine\ppkeys\localhost.priv" 
} Else {
 $privkey="C:\Program Files (x86)\Cfengine\ppkeys\localhost.priv" 
} 

## Hash algorithm to use
## md4 md5 sha sha1 sha224 sha256 sha384 sha512 whirlpool
## The oldest openssl we support is 0.9.8 and it supports sha512
$hash="sha512" 

## CFEngine default passphrase
$passphrase="Cfengine passphrase" 

# Code

If (-Not (Test-Path $openssl))
{
  Write-Host "ERROR: No OpenSSL detected. Bailing out" 
  Exit
}

If (-Not (Test-Path $file))
{
  Write-Host "ERROR: Given file not found. Bailing out" 
  Exit
}

# Create signature
$signature = & $openssl dgst -passin "pass:$passphrase" -$hash -hex -sign "$privkey" "$file" 2>$null | % { $_ -replace ".*= ","" }

# Create a signature
"header=rudder-signature-v1`nalgorithm=$hash`ndigest=$signature" | Out-File -Encoding UTF8 "$file.sign" 

Actions

Also available in: Atom PDF