README.md @master — view markup · raw · history · blame
Verify — Lightweight, General-Purpose Code Signing
WARNING: verify
is still in the experimental phase. Do not
use this yet!
The verify
script is a small script that intends to make the
unfortunately common pattern of installing software using
curl | sh
more secure. The verify
script is a very small
interface on top of OpenBSD's
signify
code-signing tool
that fits in the middle of pipelines, letting you transform
the insecure pipeline
$ curl some-package | sh
to the more secure
$ curl some-package.verified | verify | sh
which will not execute the downloaded program if the package has not been signed by a trusted key. The keys used by signify are Ed25519 keys, and therefore are very small and can be easily stored and distributed in numerous ways.
Additionally, if you don't have the public key that signed a package, and want to trust a package just this one time, there's a script that can execute verified packages without checking to see if they are trusted first.
$ curl some-package.verified | trust | sh
Running the Example
Make sure that OpenBSD's signify
is somewhere in your $PATH
.
Create a directory $HOME/.trusted
and copy the public key
example/sample-key.pub
to that directory. Afterwards, you'll
be able to download the sample script and execute its (trivial)
command:
$ curl https://github.com/aisamanra/verify/raw/master/example/sample-payload.tar | verify | sh
If you can read this, then it has been verified.
If you delete that trusted key, then running the same command will result in an error.
Building your Own Packages
Assuming you have a signify public/private keypair already:
run the script sign.sh
with your private key, the name of the
executable file you want to sign, and the location where
you want the output to be.
$ >my-script.sh <<EOF
#!/bin/sh
echo Hello, world!
EOF
$ sign my-private-key ./my-script ./my-package.verified