Website Signature Verifier
by Joel R. Voss aka. Javantea
Nov 13, 2005
Sends an e-mail when your site has a cryptographic error. This is good to detect changes, intrusions, and mistakes. There are three levels of testing:
Level 1: Check that remote page concurs with remote signature.
Level 1 ensures that someone has signed the file with a key that we have in our public keyring. Level 1 ensures that if your page is changed, it is because of an intended change and has been signed by the developer. Level 1 is not a perfect guarantee of security since an attacker who is in your public keyring could sign it with their key and Level 1 would pass.
Level 2: Check that the remote page has been signed with the correct key.
Level 2 fills the hole that Level 1 leaves: it ensures that the keyid is the same. If an attacker has the same key ID as you (unlikely), then Level 2 will be attackable.
Level 3: Check that the remote page has been signed with the local key.
Level 3 fills the gap that Level 1 and 2 leave: it ensures that the page has not changed since we updated the local signature. This is more involved than the other levels because it requires you to update the remote server with the signature every time you update the page.
gen_index_sig1.sh is the script that generates the signature for the index
file. It is terrifically simple:
gpg -a -b index.html
This creates a detached signature: index.html.asc
To pass Level 3, you need to run:
scp index.html.asc $REMOTE_SERVER:$TESTDIR/index.html.asc.local
Before it works you need to get the public key in your keyring. If you're using the example of altsci.com, simply import jvoss.asc like this: gpg --import jvoss.asc
You will _definitely_ need to edit the first 5 variables in site_sign.sh:
# TESTDIR is the directory to do the testing. # You need write access. TESTDIR=/home/jvoss/site_sign # FILE is the remote file that you wish to test. FILE=index.html # SITE is the server that you wish to test. SITE=http://www.altsci.com # KEY is the Key ID that you wish to ensure in Level 2. KEY=1954FED2 # EMAIL is the address that you wish to send an # e-mail to when a compromise has been found. EMAILemail@example.com
If you're using this for your own server, you'll need to use a key from your own server. You need to export the public key and copy it to the destination server.
# Export the key. gpg -a --export $KEY > key.asc # Copy the key to the remote server. scp key.asc $REMOTE_SERVER # SSH into to the remote server. ssh $REMOTE_SERVER # Import the key. gpg --import key.asc
If you are interested in developing Website Signature Verifier, feel free to e-mail me.Permalink