Back to 24.06 Instructions for Signature Verification

Instructions for Signature Verification of a Binary Image

In this example we verify a signature of a Ghaf package which was built and signed by themisto server. These steps can be applied to any Ghaf package.

Step-by-Step Instructions:

  • Download and extract the package in an empty directory 

    mkdir verify
cd verify
wget https://ghafreleasesstorage.z16.web.core.windows.net/ghaf-24-06/files/ghaf-24.06_Lenovo_X1_Carbon_Gen11.tar.xz
tar -xf *.tar.xz
cd ghaf-24.06_Lenovo_X1_Carbon_Gen11
cd Image
tar xf *.tar.xz
ls

  • Download sha256tree.py script (required for calculating hashes for directory trees) 

    wget https://raw.githubusercontent.com/tiiuae/ci-public/main/sha256tree/sha256tree.py

  • Create the hash of the output directory and convert to binary format 

    python3 sha256tree.py --plain x038z51wl2cpb06g7v5wg52r85w1v0aq-ghaf-host-disko-images > digest.hex
xxd -r -p digest.hex digest.bin

  • Decode the signature to binary format 

    openssl enc -base64 -d -in h63fl926x4nl9q1j3lv0gqim7j8yq32j-x038z51wl2cpb06g7v5wg52r85w1v0aq-ghaf-host-disko-images-themisto.signature -out signature.bin

  • Download the public key for themisto 

    wget https://ghafreleasesstorage.z16.web.core.windows.net/keys/themisto.pub

  • Verify the signature 

    openssl dgst -sha256 -verify themisto.pub -signature signature.bin digest.bin

Example run with output:


[karim@nixos:~]$ mkdir verify
[karim@nixos:~]$ cd verify

[karim@nixos:~/verify]$ wget  https://ghafreleasesstorage.z16.web.core.windows.net/ghaf-24-06/files/ghaf-24.06_Lenovo_X1_Carbon_Gen11.tar.xz
--2024-09-25 15:29:07--  https://ghafreleasesstorage.z16.web.core.windows.net/ghaf-24-06/files/ghaf-24.06_Lenovo_X1_Carbon_Gen11.tar.xz
Resolving ghafreleasesstorage.z16.web.core.windows.net (ghafreleasesstorage.z16.web.core.windows.net)... 20.60.246.36
Connecting to ghafreleasesstorage.z16.web.core.windows.net (ghafreleasesstorage.z16.web.core.windows.net)|20.60.246.36|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3707191756 (3,5G) [application/x-xz]
Saving to: ‘ghaf-24.06_Lenovo_X1_Carbon_Gen11.tar.xz’

ghaf-24.06_Lenovo_X1_Carbon_Gen11.tar.xz                  100%[=====================================================================================================================================>]   3,45G  11,6MB/s    in 5m 34s  

2024-09-25 15:34:41 (10,6 MB/s) - ‘ghaf-24.06_Lenovo_X1_Carbon_Gen11.tar.xz’ saved [3707191756/3707191756]


[karim@nixos:~/verify]$ tar -xf *.tar.xz

[karim@nixos:~/verify]$ cd ghaf-24.06_Lenovo_X1_Carbon_Gen11

[karim@nixos:~/verify/ghaf-24.06_Lenovo_X1_Carbon_Gen11]$ cd Image

[karim@nixos:~/verify/ghaf-24.06_Lenovo_X1_Carbon_Gen11/Image]$ tar xf *.tar.xz

[karim@nixos:~/verify/ghaf-24.06_Lenovo_X1_Carbon_Gen11/Image]$ ls
h63fl926x4nl9q1j3lv0gqim7j8yq32j-x038z51wl2cpb06g7v5wg52r85w1v0aq-ghaf-host-disko-images-themisto.signature
x038z51wl2cpb06g7v5wg52r85w1v0aq-ghaf-host-disko-images
x038z51wl2cpb06g7v5wg52r85w1v0aq-ghaf-host-disko-images-themisto-323.tar.xz

[karim@nixos:~/verify/ghaf-24.06_Lenovo_X1_Carbon_Gen11/Image]$ wget https://raw.githubusercontent.com/tiiuae/ci-public/main/sha256tree/sha256tree.py
--2024-03-27 09:30:33--  https://raw.githubusercontent.com/tiiuae/ci-public/main/sha256tree/sha256tree.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4479 (4,4K) [text/plain]
Saving to: ‘sha256tree.py’

sha256tree.py             100%[===================================>]   4,37K  --.-KB/s    in 0s      

2024-03-27 09:30:33 (34,7 MB/s) - ‘sha256tree.py’ saved [4479/4479]


[karim@nixos:~/verify/ghaf-24.06_Lenovo_X1_Carbon_Gen11/Image]$ python3 sha256tree.py --plain x038z51wl2cpb06g7v5wg52r85w1v0aq-ghaf-host-disko-images > digest.hex

[karim@nixos:~/verify/ghaf-24.06_Lenovo_X1_Carbon_Gen11/Image]$ xxd -r -p digest.hex digest.bin

[karim@nixos:~/verify/ghaf-24.06_Lenovo_X1_Carbon_Gen11/Image]$ openssl enc -base64 -d -in h63fl926x4nl9q1j3lv0gqim7j8yq32j-x038z51wl2cpb06g7v5wg52r85w1v0aq-ghaf-host-disko-images-themisto.signature -out signature.bin

[karim@nixos:~/verify/ghaf-24.06_Lenovo_X1_Carbon_Gen11/Image]$ wget   https://ghafreleasesstorage.z16.web.core.windows.net/keys/themisto.pub
--2024-03-27 09:36:02--  https://ghafreleasesstorage.z16.web.core.windows.net/keys/themisto.pub
Resolving ghafreleasesstorage.z16.web.core.windows.net (ghafreleasesstorage.z16.web.core.windows.net)... 20.60.246.36
Connecting to ghafreleasesstorage.z16.web.core.windows.net (ghafreleasesstorage.z16.web.core.windows.net)|20.60.246.36|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 178 [application/octet-stream]
Saving to: ‘themisto.pub’

themisto.pub              100%[===================================>]     178  --.-KB/s    in 0s      

2024-03-27 09:36:02 (103 MB/s) - ‘themisto.pub’ saved [178/178]

[karim@nixos:~/verify/ghaf-24.06_Lenovo_X1_Carbon_Gen11/Image]$ openssl dgst -sha256 -verify themisto.pub -signature signature.bin digest.bin
Verified OK