Source Code Verification dig/sha256 -- for libsodium

[s243a]

This is sort of a TODO, as I'm not ready to verify source codes pulled in through subversion (I use eclipse as my subversion client). Perhaps subversion clients do their own checking. I'm not sure.

So I went through the trouble of getting openssl working with gost-engine (see thread), and I should be able to do this but I haven't yet written any bash scripts longer then a line and I'm getting impatient in my quest to get DNSCrypt working (see thread), so I think I'll press ahead but come back to this later.

I can always wipe-out puppy and start again if I have security concerns. Anyway, libsodium gives the following instructions to check the validity of any distributed file:

Code: Select all

dig +dnssec +short txt <file>.download.libsodium.org

http://doc.libsodium.org/installation/index.html

dig is part of the Bind package. For my version of puppy (precise), I have installed through petget various packagees yielded from a search for bind from both ubuntu-precise-universe and ubuntu-precise-main.

You'll need "bind client" for sure and whatever dependencies that it may have.

So, now what I need to do is to recursively search the directories for files where the result pulled from dig does not match the sha256 signature. Another interesting thing to do would be to put this comparisons into the make build system so, prior to reading any file make would first check for differences and then either terminate or log any discrepancies. Does make have any facilities to do this like a pre-target event?

[Scooby]

I'm getting impatient in my quest to get DNSCrypt working (see thread), so I think I'll press ahead but come back to this later.

I got it to work but on archbased OS.
What was your problem? that you couldn't verify dowloaded files?


What is gost-engine?

So, now what I need to do is to recursively search the directories for files where the result pulled from dig does not match the sha256 signature. Another interesting thing to do would be to put this comparisons into the make build system so, prior to reading any file make would first check for differences and then either terminate or log any discrepancies. Does make have any facilities to do this like a pre-target event?

Sounds a lot like what arch does with AUR packages

[s243a]

I got it to work but on archbased OS.
What was your problem? that you couldn't verify dowloaded files?

I just haven't tried installing it yet. Instead I've installed some preliminary stuff first.

However, verification the signature was my first hangup which I succeeded in doing for DNSCrypt but haven't done so for libsodium. As mentioned above I'm skipping this step for libsodium (see my thread)

What is gost-engine?

gost-engine is an add-on for openssl it can be found here:
https://github.com/luvit/openssl/tree/m ... nes/ccgost
(edit: gost-engine is required for the dig function of bind to work)


It builds as part of openssl if you make openssl in such a way to include shared libraries. This means add the --shared option when you run the configure file. It took a bit of reading the configure file (coded in PERL) for me to figure this out. See thread. I'm pretty new to both puppy an linux so this stuff still takes me a bit of time.

[jamesbond]

dnscrypt homepage doesn't make it sound too easy.

Actually, you don't need gost etc. All you need is sha256sum; available from either busybox or coreutils.
Then instead of using "dig" to fetch the checksum, use "drill" instead (drill comes from "ldns" package) - it is much smaller and easier to build that "bind".

Compare the two results, it should be identical. Here's a copy of mine.

Lastly, you can only hope to verify official sources you can get from their release page. If you get the source from subversion/git/whatever, it is not official and you can't expect to verify its integrity.