wiki:KeySetup

Version 8 (modified by davea, 16 years ago) (diff)

--

File signing utilities

Use sign_executable to sign executable files:

sign_executable file_to_sign private_key_file > signature_file

sign_executable is compiled in the lib/ directory, and installed in your project's bin/ directory. It writes the signature to stdout.

Creating encryption keys

The program lib/crypt_prog performs various encryption tasks.

crypt_prog -genkey nbits private_keyfile public_keyfile
Create a key pair with nbits bits (always use 1024). Write the keys in encoded ASCII form to the indicated files.

The following commands generate the file upload and code signing key pairs. BOINC_KEY_DIR is the directory where the keys will be stored. The code signing private key should be stored only on a highly secure (e.g., a disconnected, physically secure) host.

crypt_prog -genkey 1024 BOINC_KEY_DIR/upload_private BOINC_KEY_DIR/upload_public
crypt_prog -genkey 1024 BOINC_KEY_DIR/code_sign_private BOINC_KEY_DIR/code_sign_public

Other functions of crypt_prog:

crypt_prog -sign file private_keyfile
Create a digital signature for the given file (same as sign_executable).
crypt_prog -sign_string string private_keyfile
Create a digital signature for the given string, write it to stdout.
crypt_prog -verify file signature_file public_keyfile
Verify a signature for the given file.
crypt_prog -test_crypt private_keyfile public_keyfile
Perform an internal test, checking that encryption followed by decryption works.
crypt_prog -cert_verify file signature_file certificate_dir ca_dir
Verify a certificate-based signature for the given file.
crypt_prog -convsig o2b/b2o input_file output_file
Convert a signature from OpenSSL form to/from BOINC form.
crypt_prog -convkey o2b/b2o priv/pub input_file output_file
Convert a key from OpenSSL form to/from BOINC form.