digital-signature interview questions
Top digital-signature frequently asked interview questions
I use SSH (OpenSSH 5.5p1 on Linux, to be precise). I have a key, on which i have a passphrase. I use this for the usual logging in to computers stuff.
Can i also use it to sign files?
As i understand it, an SSH key is an RSA (or DSA) key, and during the SSH login process, it is used to sign messages sent to the server. So in principle and in practice, it can be used to sign things - indeed, that is its sole purpose.
But as far as i can see, there is no way to use the key to sign an arbitrary file (as you would with PGP, say). Is there some way to do this?
Source: (StackOverflow)
Is it possible to ask gpg (or gpg4win) to just verify whether a file was signed by a particular public key file, without having to import and sign and trust that key?
i.e. something like
gpg --using-key pubkey.txt --verify message.txt
as opposed to having to create your own private key and then do
gpg --import pubkey.txt
gpg --lsign-key [name within pubkey.txt]
# ... something to do with choosing trust levels
gpg --verify message.txt
Source: (StackOverflow)
I've used various methods (mentioned elsewhere on this site) to create PDFs, using a printer driver or converting from PostScript, etc. The common problem is that if I open any of the output files in the newer versions of Adobe Reader, there's an option to "Place Signature" but it's greyed out, or gives an error message that the feature has been disabled for this document. As far as I can tell, there's an option set somewhere in the document metadata that tells Reader "allow the user to sign this document", or don't. None of the free/open source tools that have been been linked to in other SU posts have had this listed as an option (though to be fair I haven't actually downloaded and tried all of them).
Is there a tool that does this? Can I just poke a bit with a hex editor somewhere to turn on this functionality? I can sometimes get access to Acrobat Professional to turn on this option, but doing it for every desired case would be more work than I care to do. The current workaround for single-page documents is:
- Print the document to PDF (possibly via postscript)
- Open a single-page blank PDF with the "signable" bit turned on in Reader
- create a custom "stamp" using the Reader markup tools, by importing the printed-to document
- "stamp" an image of the printed document on the blank page, hoping to get it centered about right
- place a signature over the document-but-not-really you just stamped
This obviously does not scale well at all. It would be much better if I could:
- Print the document to PDF
- Drag the document to a simple shortcut / tool / whatever
- Open the document in Reader
- Place a signature in the document
ETA: Sorry, maybe I should have been clearer -- I'm talking about the certificate-based digital signing available in Adobe Reader, not adding a virtual ink signature. Also, any solution really would have to be available offline.
Source: (StackOverflow)
I have my personal digital signature on the special card and the according reader. How can I sign an email (sending it with gmail) with this signature? I am on the latest OSX and use Google Chrome (but can use Windows 7, if it is really required).
Source: (StackOverflow)
I played with openssl to make a pub/prv key and create a signature of a file and validated it. I toyed with Cryptophane (windows gnupg frontend) and heard about keyservers+played with signing text.
I however not ever signed a file archive. If i want to publish an archive (7z, rar or zip, it doesnt matter) and i'd like my users or software to be able to check if THAT archive has been signed how would i do that? The public key obviously would need to be available publically. But adding the signature to the archive is what bothers me. Does any software+archive allow me to sign and verify a compressed archive file?
Source: (StackOverflow)
I'm trying to install FreeOTFE on 64bit Windows 7. FreeOTFE comes with many drivers for various encryption algorithms, that need to be installed.
Windows gives me the error, that since those aren't signed drivers, they won't be installed.
How do I turn those signature checks off, and back on?
I tried setting boot config values:
bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
bcdedit -set TESTSIGNING OFF
But after a reboot, things were still the same.
All I know is, that I need to switch Windows into test mode, but how do I do that? The other alternative is to install a 3rd-party tool, to temporarily override the signature enforcement, but I don't really want that.
Source: (StackOverflow)
In the past, Synaptics provided their touchpad drivers in a digitally-signed self-extracting executable. For example, here is an older version of the driver hosted on the official Synaptics website, that is provided in a digitally-signed self-extracting executable:
http://drivers.synaptics.com/Synaptics_v15_2_20_C_XP64_Vista64_Win7-64_Signed_Marketing_SGS94_UI-Scrybe.exe
However, the link on their website for the latest version of the driver currently points to an unsigned ZIP archive.
Where can I find the digitally-signed self-extracting executable for the latest version of the Synaptics touchpad driver?
Or, if they've stopped providing their newest drivers in a digitally-signed self-extracting executable, what's the most recent version of the driver that was provided in a digitally-signed self-extracting executable?
OS: Windows
Kernel: NT 6.2
Arch: x86_64
Source: (StackOverflow)
There are places in the internet, where you can get a free digital signature for email.
How can I use it with Gmail and Internet Explorer?
Source: (StackOverflow)
I need to digital sign a PDF document. However, Acrobat reader does not let me sign documents. I just need to sign the document, not edit it.
Do I need to buy the full Acrobat software?
Or is there a better, simpler way?
Source: (StackOverflow)
I'm trying to verify the PGP Signature of the latest version of KeePass 2.14's setup file against this signature, but this is the output I receive:
C:\Program Files (x86)\GNU\GnuPG>gpg.exe --verify C:\Users\User\Desktop\KeePass-2.14-Setup.exe
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
C:\Program Files (x86)\GNU\GnuPG>
I found this command here, but it made no mention about ".sig" or ".asc" files, so I figured I did something wrong. By reading the man pages, I further tried the following:
C:\Program Files (x86)\GNU\GnuPG>gpg.exe --pgpfile C:\Users\User\Desktop\KeePass-2.14-Setup.exe
gpg: Invalid option "--pgpfile"
C:\Program Files (x86)\GNU\GnuPG>
As you can see, the results are quite obfuscating...
I took a look at this on SuperUser, but none of the links seemed to really address my question, at least not directly enough for me to get any idea on how to move forward on this.
Can anybody here help me with the esoteric technicality of OpenPGP & the associated use of the GnuPG program? I've felt pretty dumb learning VBS, but this is beyond humiliating: it's absolutely debilitating and maiming whatever confidence I had with my IT skills (then again, I have no justification for making any boast either, as I have yet to get my A+ Cert, lol).
UPDATE 04-04-2011
Okay, so I got tired of fooling around with Windows and decided I'd do it right by booting up Ubuntu; this alone made things much more logical!
So here's my list of commands and where I'm at:
proto@type:~$ cd Desktop/proto@type:~/Desktop$ gpg --import KeePass-2.14-Setup.exe.asc
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0proto@type:~/Desktop$ gpg --import Dominik_Reichl.asc
gpg: /home/proto/.gnupg/trustdb.gpg: trustdb created
gpg: key FEB7C7BC: public key "Dominik Reichl " imported
gpg: Total number processed: 1
gpg: imported: 1proto@type:~/Desktop$ gpg --verify KeePass-2.14-Setup.exe
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.proto@type:~/Desktop$ gpg --verify KeePass-2.14-Setup.exe.asc
gpg: Signature made Sun 02 Jan 2011 05:25:24 AM MST using DSA key ID FEB7C7BC
gpg: Good signature from "Dominik Reichl "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2171 BEEA D0DD 92A1 8065 5626 DCCA A5B3 FEB7 C7BCproto@type:~/Desktop$ gpg --verify Dominik_Reichl.asc
gpg: verify signatures failed: unexpected data
As Mike instructed, I placed ".exe" & the ".asc" files in the same directory, that being the Desktop. As you can see in the code, I also placed the public key "Dominik_Reichl.asc" in the Desktop directory.
Please be patient with me, as I've been thoroughly spoiled by MD5; I'm assuming that Step 5 from above is the GPG equivalent to this:
C:\Users\user\>CD Desktop
C:\Users\user\Desktop>MD5Sum KeePass-2.14-Setup.exe
bae59065b24f0a6f2ed4bb9e0d6fc65f *KeePass-2.14-Setup.exe
I say this because the behavior changes whenever I move the "KeePass-2.14-Setup.exe" file into a "temp" folder on the Desktop. When I run the command this is the result I get:
proto@type:~/Desktop$ gpg --verify KeePass-2.14-Setup.exe.asc
gpg: no signed data
gpg: can't hash datafile: file open error
These results have lead me to believe that I'm supposed to extract the "DSA key ID" & the "Primary key fingerprint", from Step 5, and compare them to the values at the top of the Signature Page. So, is this where the similarity is at with MD5 verification? Is this all there is to it? Or is there a further step? Is there a command that I use to verify these two strings? Are those strings what I really need to check? What are those strings?
Now there's one other issue that I'm having to contend with. In the "Primary key fingerprint" results, I have 2 spaces between the "8065" and the "5626". When I use a spreadsheet to verify my results with the string on the Signature Page, I get a "FALSE" result because of the extra whitespace in my results. I checked the source of the Signature Page to see if the browser was ignoring the extra white space, but that's not the case.
2171 BEEA D0DD 92A1 8065 5626 DCCA A5B3 FEB7 C7BC # From Source of Signature Page
2171 BEEA D0DD 92A1 8065 5626 DCCA A5B3 FEB7 C7BC # From My Results
As long as I remove that extra whitespace, my results match with that from the Signature Page, but shouldn't they match without any intervention on my part? Should a difference in whitespace be cause for alarm?
Unfortunately, the GPG Man Pages are still quite obscure to me, or as some may put it "user-hostile" (search "user hostile gpg"), so I'll need a couple extra carrots tossed my way. I'll admit it: I'm dumb. In fact, when I was still learning how to use MD5 verification, I floundered around with it almost as much as I did with this.
Source: (StackOverflow)
I know that rootkits operate as part of the kernel, driver or service running on the system, injecting themself into DLLs or installing as a legitimate applications.
If I were to scan the system with sigverif.exe, would the files injected with the rootkit have broken signatures?
Source: (StackOverflow)
I use digital signatures for signing my invoices (required by law for digital invoicing in my country). The problem is, my local authority issues signing certificates that are only valid for a year (pretty much any certificate authority does this).
Each year this leaves me with a bunch of PDF for which Acrobat Reader says that the signature cannot be verified because the certificate might have expired or been revoked. (I use the 9th version for 64 bit Linux, but the X version for Windows does the same thing).
Is there program that can tell me if such an unverifiable signature was ever valid against a given public certificate and when?
(If not, would it be technically possible to piece it together?)
Thanks,
Peter
Source: (StackOverflow)
On this system the WLAN AutoConfig service will not start:
In error log/system:
"The WLAN AutoConfig service depends on the NativeWiFi Filter service
which failed to start because of the following error:
Windows cannot verify the digital signature for this file. A recent
hardware or software change might have installed a file that is signed
incorrectly or damaged, or that might be malicious software from an
unknown source."
In error/log security:
"Code integrity determined that the image hash of a file is not
valid. The file could be corrupt due to unauthorized modification or
the invalid hash could indicate a potential disk device error.
C:\Windows\system32\drivers\nwifi.sys"
I ran sfc /scannow and it found no errors.
I ran sigverif and it says that this file, along with vwififlt.sys are not signed.
Next I uploaded nwifi.sys and vwififlt.sys to virustotal, which says they are signed and Ok.
Finally I directly compared these files with the same files on another Windows 7 machine. They have identical sha256 and md5 sums, and the other machine thinks that they are signed.
What is happening?
Source: (StackOverflow)
I have a document for a project that I am working on with my team, and I need to digitally sign the document in a way that can be verified by other members of the team. The catch is, internally, we are using PGP (the commercial version, I think). It appears that, for all intents and purposes, PGP is wholly incompatible with any of Microsoft Office's built-in digital signature functions. Ditto for Adobe Acrobat.
This is baffling, because PGP is a defined RFC, 4880, so I would imagine that it is possible for MS to integrate SOME kind of support for either X.509 or PGP. Signing a document using the external PGP software, however, produces a stand-alone *.sig file that has to tag along with the original document for anyone to be able to verify its authenticity. Since I have multiple people that need to digitally sign this document, I have no idea if this means I would need to manage one *.sig for each signee, or if a single *.sig file can hold multiple signatures by different signees.
Is there a solution of some kind that can allow me to digitally authenticate/verify Word or PDF documents using PGP keys amongst members of a team? It'd be great if there is something that can leave a visual mark within the document itself, too.
I figured that if there was a way to export an X.509/PKCS-12 certificate based off of a public PGP key, and then store that certificate in Windows' internal certificate store (certmgr), then maybe I could get Office to pull from that. But this appears to be impossible. I mean, aren't both technically bog-standard PKI certificates?
Assume that each signee has their own PGP keypair with passphrase and that there is an internal PGP keyserver that everyone can sync to.
Thoughts?
Source: (StackOverflow)
I have a kernel mode driver and I have to install it on 64 bit win 7. It needs to be digitally signed. I digitally signed it using the dseo13b.exe. But when I load the driver I get error in the system event log saying
The driver failed to start due to the following error: Windows cannot
verify the digital signature for this file. A recent hardware or
software change might have installed a file that is signed incorrectly
or damaged, or that might be malicious software from an unknown
source.
I don't want to use the test signing mode. How do I resolve this? Do I need to get certificate from Microsoft?
I have developed the driver and now making it work on the 64 bit machine.
My company might purchase the certificate from verisign but What do I do after I acquire a certificate. How do I link the driver file with the certificate I get? And Also how do I link the cross certificate downloaded from internet with the certificate I get from verisign? I read the doc KMSC_WalkThru (How to Release-Sign a Kernel Module) but these things were not clear from it. Can you please help.
Also How do I get the following:
mySPCfile.spc Your public key certificate file.
myPVKfile.pvk Your private key certificate file.
myPVKpassword
The password for the private key certificate file. Mentioned in here
Source: (StackOverflow)