Signatures and Hashes - ligos/readablepassphrasegenerator GitHub Wiki
Signatures and Hashes
From version 1.0.0, all releases (ZIP, PLGX and NUPKG files) have hashes, PGP and KeyBase signatures to verify their authenticity. The PGP public keys are listed below.
All versions (from 0.1 onwards) are signed with a .NET Strong Name, which can be used to verify the DDLs and EXEs (but not the ZIP and PLGX files). The public key is located in Github, and below.
Caveats
Note that the Strong Name key provides some evidence that the DLL / EXE has not been tampered with, it is entirely possible to circumvent and doesn't stop the plugin from being loaded by the .NET runtime. The KeePass Plugin is signed with a Strong Name, NuGet packages for .NET Standard are not.
Note that GitHub uses HTTPS for all connections (including uploading and downloading releases). Thus the hashes do not provide any real authenticity. That is, the files are highly unlikely to be tampered with during download (because of HTTPS). They are much more likely to be tampered with due to my GitHub account being hacked, or GitHub themselves changing the file on their server. And in either of those cases any bad guy who posts a malicious ZIP or PLGX file can just as easily post the correct hash.
If you really want to verify your downloads, use the PGP or KeyBase signatures.
I have mirrored the PGP public keys and all signatures on id.ligos.net, and on my GitHub profile. As of version 1.1.1 (released 2018-04-21), the below PGP keys are part of my KeyBase public profile. My KeyBase profile is https://keybase.io/ligos. (Note that the signing keys for PGP & KeyBase are different). (Note that KeyBase has discontinued their public filesystem; signatures are available on id.ligos.net).
If you want further evidence of my sole ownership of the PGP key pair, you'll need to find someone who can verify it personally and attest as such in Sydney, Australia.
PGP Public Key (Github, effective from October 2019, V1.2.0)
User-ID: Murray Grant (Github) [email protected]
Validity: from 2019-10-16 until forever
Certificate type: 3,072-bit RSA (secret key available)
Certificate usage: Signing EMails and Files, Encrypting EMails and Files, Certifying other Certificates
Key-ID: 8508 90F4 15AE 49CE
Fingerprint: 13D7 2C26 A635 5365 8673 BE8D 8508 90F4 15AE 49CE
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBF2m05YBDAC87XNft3WlJN0OY3r9atIexq8FSXx+0D72uA65zspxA5htETNw
3z79pxxhf8gWDtd9EOKAZJGSdJuYMOclj+FLwpxFMH/LC6PMpQsvs7jIq4ZeXrwc
tGyALTHqwUVS8pW6+ANk8DrII8xU7hRNTu3VOS+dFuKzy58meXQgsHBgMa04cqa0
DOP74kwj2GIbjIAKujfN3MHqErzdhiMqCI1n8tNC5i/0SFIqUL9gP+nyCsuZpN/Z
12z7cb2ksu6VcVpMpMx/uYZtHPez6OUGSOIXL/eRtn0GQhf50XHDkRjKnMBcOUyS
TdVGeGvs7IhnWtNlyMlkRBcNlcJ8UtehnSwCFVDqQ6tKHMhQxSLFYy8UYKtRd5li
ZGWkzmB7JNGTXi8i+NuThd6qSFgGN2DQqGqzvFNsJw6UUnFSg/025YJno7lUT1aT
LvJP9BkfLldj96mSUv7ZCWgA2D5lLN7ItAO9F0hiGI6VDt4n1gJG49fzW9FTulQN
xBW1p+fKSUXMfNcAEQEAAbQoTXVycmF5IEdyYW50IChHaXRIdWIpIDxnaXRodWJA
bGlnb3MubmV0PokBzgQTAQgAOBYhBBPXLCamNVNlhnO+jYUIkPQVrknOBQJdptOW
AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEIUIkPQVrknOA9UL/3kJb7L/
zWI4Np27jbX9J/wB5mDUoehowV5PSjFQy0tk3nhjhv+dWBWyO01LflPTTankSVXp
kxHomvJi8xDlwV2EirqHPi1Olc2D0490s9S3d1axTMBbGFIueOv5UT1xTNkms0me
L8WpU7ZLrLtBk+EXWZB9OBorlUIarQzNPRrmbmRhh/PtpOrkNE6Rr00w+fNHOB55
ZXiPp3Vs36ogxKpBGgO2pGe3MS+NRJYNkAETYZnECD6Ob+Muk3O5e3CIsBsrRbh3
z394wcxeQkNRh0rkJQHftP1QGP49X0y6Hi2SBLwIF8b9urIi3ft1ab7KiE8yoA/4
T5RlosaMjJVo1Ah9DbtgaqYh8R+uy43VL/OKF7mEjF9G4Uk383qZZ1MFZQgccexa
McjFHd+AqbT5KKNbDY+AHeX5fDwVQh9Z4RX1Jr7nV+LS84eQx2xXowP0PecVLXsE
JkAnTyTUdYibKqEZ3Up5Yi0dkPhNvLai04l799ODPXkSl0iJmZKO1W41crkBjQRd
ptOWAQwAzebLNsUcSsNbmnxN8/+xFK+jdSVdjCvUDRbQDGuUPu1Tr8A053Qpg86B
lYSkHJ01bzDJxNaMIaY3DECS4t/s+/Ab9mt2szf2VB4NIJFKMjsO310lHN+Yekeb
pZD7JXCBa5HCK4wSq+3989OG4o7cAjDs9/OfFIASV/jfTPYloO9kR+Gy/E1f7AEa
R7fUIvCh797l+OZWZ/L3v4mC5KZ30L+rbdze6yqAdwrPKfeLO5Dz7L5nC37qwRPR
ALHnG5OzYhLQFzuk+wvEkVgutgPPKfGu7RPfrvKWhck0pFOdfLrZ6baTkJpwzXEt
AxDKaYlIcnYKi+cpO946Vhb3vrVsZGyi1cagD+cq9P8qfH4IBr3CDc1gywPY03dB
QfjpwTh5H6EF8cLHh7p5PPU0pDbsoXp1GoU5+/FJjWf9QjtO/2FHFTnukrhOThSu
nTbVz+ntQg4PmA56j5BehK0m/7UT0F+SC4JwcfV4zLtzswjWU7WP5x48mDFTmvDs
V8SuZ9kdABEBAAGJAbYEGAEIACAWIQQT1ywmpjVTZYZzvo2FCJD0Fa5JzgUCXabT
lgIbDAAKCRCFCJD0Fa5JztwOC/9lb/fG0H/KKzKVwQW6wM3SDjtDMXcbZqZ5bET4
vguscxew9prL/LxR5PGrrabXOh59St/2CFj0R+/OaIS0QaCoZWID7dnFst6R7UmZ
J9uTQOMFzHFAw+1L5GOpdvtmycFxOZQjgOtMEDpMZIeCcmAyfdKYY69Lk46PNi0t
LLKzkjRu1/u71Ni6x57Y20yuD5eVDUv2WU9RXzGzXJUCZorlonu5pdPI5fmjOD9Q
aSbyBO5WV2lDFR6pDrHvrRR7lNilMcFq16Ood9WQ7xazSlmW92CbTjwTZ+nxn3PX
oAkrBmN7svUTVSJ+lVb4opg+U1TQpf9x1gj+YofWrzksuZOHTPNlUAWWujrEGZB+
jXOlWW2Y9HgRQGPwMpItmKM87xmmB8joW8fa7USGn+CkdRFKXOlc11mOi+mOK2Vl
3UsD2jKqYJvyn/KVAjyDqytIF/tjEb8bTjr+58a1BiY/CPwg6JNjCF6Ax9HTCUAx
bgvuyrra1+FpxG+xcyHaOhbdgAM=
=PXUe
-----END PGP PUBLIC KEY BLOCK-----
PGP Public Key (from BitBucket days, V1.1.2 and earlier)
User-ID: Murray Grant (BitBucket Code Signing) [email protected]
Validity: from 2017-05-08 until forever
Certificate type: 2,048-bit RSA (secret key available)
Certificate usage: Signing EMails and Files, Encrypting EMails and Files, Certifying other Certificates
Key-ID: 9321 9E8E 622E DAF0
Fingerprint: 1812 7884 6ED1 2B2D 4B8B D773 9321 9E8E 622E DAF0
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
mQENBFkQWDsBCACcTI1PgwkQLE6YEoiisPaJoOJGUUIQ2R6I6oroEzoMPtSIb5LA
gzS2DMARywzIr+b9KEaOa6FytMf933DpUSV8OaJahKX/ZVDE/PbAdlII6/7L1uEx
HP70xKkIJUcidEbYAXy0py3DZjStytfcJBzwi0juBYaY9ZGVxzHioeKVQuRByavI
tMVhsHtJo3pagG8OZ/onV/H1fRrnm86xqnrFHEXCI40P/Eo1oPfRmj/A8Ox8wcvh
OuOypJZi+N1HH5Fa5vUwM8UJ+wyuXCzZJR+BrIE8u2DUbV1sVtP0aHTn7f7xRPMu
/GZhc68kniooJVBtTIkNnrgl1Ar/uwftCsvDABEBAAG0O011cnJheSBHcmFudCAo
Qml0QnVja2V0IENvZGUgU2lnbmluZykgPGJpdGJ1Y2tldEBsaWdvcy5uZXQ+iQE5
BBMBCAAjBQJZEFg7AhsDBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQkyGe
jmIu2vAF0gf/eoKVe0fRPQmRTvEMEPyoWY2LfqxSH4lQ45UWoNxReqZaHVYCNjcH
a61eKlNTil+ytbeSlI1n7dEJoTWYBorTFMkjGJsmHrOSs30r/iLIEqwErr/Y2+pn
9UiNBFoA6JaKoHkwJHZ0mCamgww+ktBtaDFbsJ8ZTxBwLZ/5A0+UpCUMYa9M4LxZ
y/zHm3yevZtLBKgMax9Tn77KDAxjnvFV1EgJVzCpnDA4rN3LeQ52klwESiXgoxg2
9k2xsM8FoW+Hyh6re83KiKdaZunGD1lxZke5yTlCKHTdWreKT2beIorYvc0RpMDT
HpcGuoU4YYpp64zjVnRLfA4u7Uy6p7nQm7kBDQRZEFg7AQgAl4v6sYLGA5mZLqJK
GQQzpOcfEehMLKVI40a+EdO02LxWJ7whg9KFs2ocTEKvuyFKOOjcDG9rmzNJu5ft
g153d/2VoSbRVIyOqpB5Wpwm342/k7rgWxDqdwYYzwPOPWwRK8T/ZasHm7Zu4tdQ
gWtWPJuobOUlcb/AXHmDzTsSlRMTn8ckkFbWeceDZZBqHpH/jbTNSp/S7f4l+74B
Bb9zKMZHm8sqLObxDkA/8ZAuEr7uK4RLM0MIwdcHWTC/301zrq4ZOWaHkEnXTjqw
vQBVEoGIKVh/ynroHLXvuPN1bzK4CqhH4Jv8UeXMzcy5efVj+VP2Um3DRBa+0Tse
Emvh8QARAQABiQEfBBgBCAAJBQJZEFg7AhsMAAoJEJMhno5iLtrw9FcIAJaoqIbv
q5m0Qkp8RkFNfWSv/+2lSKbzEZkFcLoZWiP4q9+aauO0zJl6KS0DM7gg3DBy/E4D
Vi20/sb2G/9N91phOb2As5vKSJtapUWIuUzzkwaNIcQ9KImGS9e+CJMEjw37npEr
/o6nMTmfxDIP9hWcysoGitgd+COdXDc2zk57SBeM7xln9kL0RnXCCT1AmBOsoNlF
LGLAi0bC8Ye01sGzkTzX/HyuUrH3cGcDVAaTmFFmCCErAAEKgxItLf80OHhI6x1H
gylOS9CRtCCQguC0mV4mRqtNGWM0v4XTXN39JgcYYMeDIvPwCgZJV+5miqgoyQA/
e6v41wgAT2c8CTk=
=YSQV
-----END PGP PUBLIC KEY BLOCK-----
.NET Strong Name Public Key
C:\Users\msn\Documents\programming\dot net>sn -tp MurrayGrant.public.snk
Microsoft (R) .NET Framework Strong Name Utility Version 4.0.30319.0
Copyright (c) Microsoft Corporation. All rights reserved.
Public key (hash algorithm: sha1):
002400000480000094000000060200000024000052534131000400000100010019de0ad9da8e43
99f52daf2410b78a1e3fd4a9c290276bdbdddd8d1f7ab062d581af75b535d85c03c59805b10c11
633c7388d63ea1bf2d450db926a2024a31e910bf129feb243c429b40532e377ae580cf1115f94d
6dc7e4c811ce3175a9d06b1be3a7e0c54d00ef329e21901288b7e2bb616aa7d63dfe687261f012
7f021cda
Public key token is aacd6bbb302d670a
How to Verify Using GPG
- Import the public PGP block, from above, into your GPG key store.
- Download the zip / plgx and associated signature txt files.
- Remove everything from the signature txt file except the PGP signature block.
- Rename the text file to
.asc, if it makes you feel better. - Run
gpg --verify <signature file> <zip or plgx file>
Example:
PS C:\Users\msn\Downloads> cat '.\PassphraseGenerator Console 1.0.0.zip.txt'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAABCAAGBQJZEFokAAoJEJMhno5iLtrwk5YH/RjttHIidfsDQZFn7u4rkqyv
JyuWzGLkjHm7P9LSG0EhTniqZecZvBrVQmBbuMEcd74Si+MARBdEG+sHq/cLAEPV
vKAnG9Ji179lDfB8mrylin0RHR/3uQLQxP9ms4g7Wf4ayp73TuQ85GP5+ILI7PQk
iinvof2PKguyD9/Yx13yNSTqeD0gY2fA1rEjgr0hLWZusoFZdD6A4AAWNpIvQtMO
BCYvqaNiMe/Kl5qvrsrJFiKwWdXXwPSsMtfZncLx4OjD9odfdalKG+a4V1jtUORG
iZrMfiOBu0Stiy27XgNTxac4+8mdSmuagEbJ6dehuCjHVTnmgTxnGaFvsf/k/SQ=
=Hhz0
-----END PGP SIGNATURE-----
PS C:\Users\msn\Downloads> gpg --verify '.\PassphraseGenerator Console 1.0.0.zip.txt' '.\PassphraseGenerator Console 1.0.0.zip'
gpg: Signature made 05/08/17 21:44:36 AUS Eastern Standard Time
gpg: using RSA key 93219E8E622EDAF0
gpg: Good signature from "Murray Grant (BitBucket Code Signing) <[email protected]>" [ultimate]
PS C:\Users\msn\Downloads>
PS C:\Users\msn\Downloads> cat '.\ReadablePassphrase 1.0.0.plgx.txt'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAABCAAGBQJZEFqWAAoJEJMhno5iLtrw9sQH/3xAgMMW3y6z61+neI/UoF00
osv/T0gf9D7CK0xvggmknsrr9te4ZJVQXU+e2VjZSh8gTt0U51yxkWElsijzpuqJ
0hCoyWLiuT5gWL/E9dD9sLRMlAeY9n3jNeF9abCnnfR41RIBxCTqCmlni4sq0NM1
s4QRvf/K0UJm9xzt+0t13Amn1b/Thzb8PQGBSfEA8sPqaaUE8VlXPucjmNX/fgkX
O4eaTJqmVIot4cnHJYzxys72x4w0YYwClDcPhmFh0nSZxi5lUDJWOEMNnDlKmRXA
kYYe9uDGxmC7se44AYk7FoAl/lNqQ1d64lXoGj3U1zxesFikYmMaDsHzWLssRTI=
=RLtW
-----END PGP SIGNATURE-----
PS C:\Users\msn\Downloads> gpg --verify '.\ReadablePassphrase 1.0.0.plgx.txt' '.\ReadablePassphrase 1.0.0.plgx'
gpg: Signature made 05/08/17 21:46:30 AUS Eastern Standard Time
gpg: using RSA key 93219E8E622EDAF0
gpg: Good signature from "Murray Grant (BitBucket Code Signing) <[email protected]>" [ultimate]
PS C:\Users\msn\Downloads>
How to Verify Using KeyBase
- Download the zip / plgx and associated signature txt files.
- Remove everything from the signature txt file except the single line starting with
BEGIN KEYBASE SALTPACK DETACHED SIGNATURE. - Rename the text file to
.asc, if it makes you feel better. - Run
keybase verify -d <signature file> -i <zip or plgx file>
Example:
PS C:\Users\msn\Downloads> cat '.\ReadablePassphrase 1.1.1.plgx.keybase.asc'
BEGIN KEYBASE SALTPACK DETACHED SIGNATURE. kXR7VktZdyH7rvq v5weRa8moLXtsPx 1HB5gQmN1wVxZgq P8w5myeex0QH59F sxVTEupRMAbKyzu E31Jvb5rnhd0ujW houueotpNaURv6M tDssk8aoe5fwd4m VwUBeq8q4bNRbfQ 8n3iqL2Xq2VEVa5 cRCtrEgv7aLnb4o NoPKat60ZYMsFmC q. END KEYBASE SALTPACK DETACHED SIGNATURE.
PS C:\Users\msn\Downloads> keybase verify -d '.\ReadablePassphrase 1.1.1.plgx.keybase.asc' -i '.\ReadablePassphrase 1.1.
1.plgx'
Signature verified. Signed by ligos (you).
PS C:\Users\msn\Downloads>