You must verify the integrity of the downloaded files
文章目录
TL;DR;
必须验证下载文件的完整性。我们为每个发布文件提供OpenPGP签名。这个签名应该与包含Tomcat发布管理器OpenPGP密钥的密钥文件相匹配。我们还为每个发布文件提供SHA-512校验和。下载文件后,您应该为下载计算一个校验和,并确保它与我们的相同。
You must verify the integrity of the downloaded files. We provide OpenPGP signatures for every release file. This signature should be matched against the KEYS file which contains the OpenPGP keys of Tomcat’s Release Managers. We also provide SHA-512 checksums for every release file. After you download the file, you should calculate a checksum for your download, and make sure it is the same as ours.
校验方法一般是MD5,SHA1,PGP三种。
md5sum
md5sum --help
Usage: md5sum [OPTION]... [FILE]...
Print or check MD5 (128-bit) checksums.
With no FILE, or when FILE is -, read standard input.
-b, --binary read in binary mode
-c, --check read MD5 sums from the FILEs and check them
--tag create a BSD-style checksum
-t, --text read in text mode (default)
Note: There is no difference between binary and text mode option on GNU system.
The following four options are useful only when verifying checksums:
--quiet don't print OK for each successfully verified file
--status don't output anything, status code shows success
--strict exit non-zero for improperly formatted checksum lines
-w, --warn warn about improperly formatted checksum lines
--help display this help and exit
--version output version information and exit
The sums are computed as described in RFC 1321. When checking, the input
should be a former output of this program. The default mode is to print
a line with checksum, a character indicating input mode ('*' for binary,
space for text), and name for each FILE.
GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
For complete documentation, run: info coreutils 'md5sum invocation'
sha1sum
sha1sum --help
Usage: sha1sum [OPTION]... [FILE]...
Print or check SHA1 (160-bit) checksums.
With no FILE, or when FILE is -, read standard input.
-b, --binary read in binary mode
-c, --check read SHA1 sums from the FILEs and check them
--tag create a BSD-style checksum
-t, --text read in text mode (default)
Note: There is no difference between binary and text mode option on GNU system.
The following four options are useful only when verifying checksums:
--quiet don't print OK for each successfully verified file
--status don't output anything, status code shows success
--strict exit non-zero for improperly formatted checksum lines
-w, --warn warn about improperly formatted checksum lines
--help display this help and exit
--version output version information and exit
The sums are computed as described in FIPS-180-1. When checking, the input
should be a former output of this program. The default mode is to print
a line with checksum, a character indicating input mode ('*' for binary,
space for text), and name for each FILE.
GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
For complete documentation, run: info coreutils 'sha1sum invocation'
sha512sum
sha512sum --help
Usage: sha512sum [OPTION]... [FILE]...
Print or check SHA512 (512-bit) checksums.
With no FILE, or when FILE is -, read standard input.
-b, --binary read in binary mode
-c, --check read SHA512 sums from the FILEs and check them
--tag create a BSD-style checksum
-t, --text read in text mode (default)
Note: There is no difference between binary and text mode option on GNU system.
The following four options are useful only when verifying checksums:
--quiet don't print OK for each successfully verified file
--status don't output anything, status code shows success
--strict exit non-zero for improperly formatted checksum lines
-w, --warn warn about improperly formatted checksum lines
--help display this help and exit
--version output version information and exit
The sums are computed as described in FIPS-180-2. When checking, the input
should be a former output of this program. The default mode is to print
a line with checksum, a character indicating input mode ('*' for binary,
space for text), and name for each FILE.
GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
For complete documentation, run: info coreutils 'sha512sum invocation'
gpg
gpg --help
gpg (GnuPG) 2.0.22
libgcrypt 1.5.3
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ?, ?, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
Syntax: gpg [options] [files]
Sign, check, encrypt or decrypt
Default operation depends on the input data
Commands:
-s, --sign make a signature
--clearsign make a clear text signature
-b, --detach-sign make a detached signature
-e, --encrypt encrypt data
-c, --symmetric encryption only with symmetric cipher
-d, --decrypt decrypt data (default)
--verify verify a signature
-k, --list-keys list keys
--list-sigs list keys and signatures
--check-sigs list and check key signatures
--fingerprint list keys and fingerprints
-K, --list-secret-keys list secret keys
--gen-key generate a new key pair
--gen-revoke generate a revocation certificate
--delete-keys remove keys from the public keyring
--delete-secret-keys remove keys from the secret keyring
--sign-key sign a key
--lsign-key sign a key locally
--edit-key sign or edit a key
--passwd change a passphrase
--export export keys
--send-keys export keys to a key server
--recv-keys import keys from a key server
--search-keys search for keys on a key server
--refresh-keys update all keys from a keyserver
--import import/merge keys
--card-status print the card status
--card-edit change data on a card
--change-pin change a card's PIN
--update-trustdb update the trust database
--print-md print message digests
--server run in server mode
Options:
-a, --armor create ascii armored output
-r, --recipient USER-ID encrypt for USER-ID
-u, --local-user USER-ID use USER-ID to sign or decrypt
-z N set compress level to N (0 disables)
--textmode use canonical text mode
-o, --output FILE write output to FILE
-v, --verbose verbose
-n, --dry-run do not make any changes
-i, --interactive prompt before overwriting
--openpgp use strict OpenPGP behavior
(See the man page for a complete listing of all commands and options)
Examples:
-se -r Bob [file] sign and encrypt for user Bob
--clearsign [file] make a clear text signature
--detach-sign [file] make a detached signature
--list-keys [names] show keys
--fingerprint [names] show fingerprints
Please report bugs to <http://bugs.gnupg.org>.
- .gpg - GNU Privacy Guard public keyring file, binary format. See examples from 4.2 Configuration files
- .sig - GPG signed document file, binary format.
- .asc - ASCII-armored signature with or without wrapped document, plain text format. Usually used in clearsigned documents. Usually it’s attached unmodified original doc and its signature. In the usage of detached signatures, you can generate signature only without original doc via –detach-sig.
apt-repository
- https://www.myfreax.com/how-to-add-apt-repository-in-ubuntu/
- https://mariadb.com/kb/en/installing-mariadb-deb-files/
yum-repository
demo
ls /bin/|grep sum
cksum
md5sum
sha1sum
sha224sum
sha256sum
sha384sum
sha512sum
sum
echo "ABC" > file.txt
sha512sum file.txt > file.txt.shar512
sha512sum -c file.txt.shar512
file.txt: OK
##############################
echo "ABCxxx" > file.txt
sha512sum -c file.txt.shar512
file.txt: FAILED
sha512sum: WARNING: 1 computed checksum did NOT match
curl -s -O https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.36/bin/apache-tomcat-9.0.36.tar.gz.sha512
curl -s -O https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.36/bin/apache-tomcat-9.0.36.tar.gz
sha512sum -c apache-tomcat-9.0.36.tar.gz.sha512
# The new format, used by .sha512 files, contains the hash value and the artifact's filename associated on the same line (separated by two spaces):
sha512sum apache-tomcat-9.0.36.tar.gz.sha512 | awk '{print $1}'
helm-prov
TUP
A framework for securing software update systems
CIA
- Confidentiality
- Integrity
- Availability
provenance
“Provenance is information about entities, activities, and people involved in producing a piece of data or thing, which can be used to form assessments about its quality, reliability or trustworthiness.”
W3.org
DCT
Docker Content Trust (DCT) allows operations with a remote Docker registry to enforce client-side signing and verification of image tags. DCT provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side verification of the integrity and publisher of specific image tags.
Once DCT is enabled, image publishers can sign their images. Image consumers can ensure that the images they use are signed.
Traditionally software image distribution systems sign images using GPG keys. Signing an image does prove the identity of the publisher and the authenticity of the image being published. However, only signing does not provide several security mechanisms like the ability to survive a compromise of the signing keys.
ref
- HOW TO VERIFY DOWNLOADED FILES
- File verification - Wikipedia
- Public key infrastructure - Wikipedia
- What is PKI (Public Key Infrastructure)?
- Subresource Integrity
- tomcat/Dockerfile at 943fdc7506700225a3b7738e91352f636f170250 · docker-library/tomcat · GitHub
- postgres/Dockerfile at 88173efa530f1a174a7ea311c5b6ee5e383f68bd · docker-library/postgres · GitHub
- GPG Quick Start
- GnuPG - Gentoo Wiki
- GPG/PGP - Ubuntu中文
- GnuPG (简体中文) - ArchWiki
- 利用 GPG 签名验证文件的完整及可靠性 | Silearner
- Apache OpenOffice - How to verify the integrity of the downloaded file?
- Install MongoDB Community Edition on Debian — MongoDB Manual
- gpg - How to verify a file using an asc signature file? - Server Fault
- bash - How to check the checksum through commandline? - Stack Overflow
- debian - How do you generate an .asc file from pgp public key? - Unix & Linux Stack Exchange
- How to Generate PGP Signatures with Maven
- gpg加密发布jar包到maven中央仓库详细过程以及踩的坑
- Gnu 隐私卫士 (GnuPG) 袖珍 HOWTO (中文版)
- The npm Blog — new pgp machinery
- npm - Why did package-lock.json change the integrity hash from sha1 to sha512? - Stack Overflow
- How to Check the Integrity of a File? - Logsign
- SHA-256 Cryptographic Hash Algorithm implemented in JavaScript | Movable Type Scripts
- Subresource Integrity - Web security | MDN
- OCI-based registries
- Single-Responsibility-Principle
- The App - Install Linux | Keybase Docs
- Apache Taverna - Provenance management
- Verifying Signatures | Qubes OS
- PROV-Overview
- Docker Notary: Very TUF, but devil is in the detail!
- What Docker Notary Doesn’t Do - FAUN - Medium
- Digital Trust in Transit — Docker Content Trust - Lawrence Manickam - Medium
- Container Image Signatures in OpenShift 4 - Luis Javier Arizmendi Alonso - Medium
- Working with Docker Content Trust - JFrog - JFrog Documentation
- Software signature tutorial, from sources to Docker images
- The Update Framework | Security
- Content trust in Docker | Docker Documentation
- Signing images for trusted content
- Chapter 3. Signing Container Images Red Hat Enterprise Linux Atomic Host 7 | Red Hat Customer Portal
- Understanding and managing package trust
- Web of trust - Wikipedia
- Container Image Signing
- Image Signing Support · Issue #30603 · kubernetes/kubernetes · GitHub
- How to sign a file on Linux with GPG - TechRepublic
- Exploring Docker Security – Part 1: The whale’s anatomy
- Exploring Docker Security – Part 2: Container flaws | Computer Science Blog
- Exploring Docker Security - Part 3: Docker Content Trust | Computer Science Blog
- Signed images · Issue #2700 · moby/moby · GitHub
- PGP Web of Trust: Core Concepts Behind Trusted Communication - Linux.com
- Why did the PGP Web of Trust fail? - Henry Story - Medium
- Cryptography with OpenPGP
- Cargo and crates signatures
- Security model / TUF
- PEP 458:
- PEP 480:
- docs.npmjs.com About package PGP signatures
- docs.npmjs.com Verifying the PGP signature of a package from the npm public registry
- 【翻译】密码学一小时必知
- SecureApt - Debian Wiki
- 对应用进行签名 | Android 开发者 | Android Developers
- Support public/private download signing and verification · Issue #38 · composer/composer · GitHub
- Add Support Cryptographic Signatures with Public Key Pinning · Issue #4022 · composer/composer · GitHub
- Package signing · Issue #773 · conan-io/conan · GitHub
- DeveloperWiki:Package signing - ArchWiki
- What Is a Checksum (and Why Should You Care)?
- REST based web services security based on HTTP signatures - Stack Overflow
- Security Drops - Fundamentals for Developers
- HTTPS and Data Integrity - Stack Overflow
- tls - What's the hash for in ECDHE-RSA-AES-GCM-SHA? - Information Security Stack Exchange
- HMAC - Wikipedia
- Data integrity - Wikipedia
上次更新 2020-06-27
原始文档 查看本文 Markdown 版本 »