Readme- Improve binary file image verification script on the Windows Platform #352
Conversation
Improvements to Binary file verification on Windows Platform
Marc-Gee
changed the title
Replacement powershell script to emulate SHASUM command but on windows!
|
The updated powershell script is submitted. |
The scripts [computed checksum failure] message is changed to match to the Linux SHASUM failure output.
|
@Dimi8146 and I discusssed today that the '-eq $True' is actually redundant. so possible code can drop off a few lines by incorporating the check of the files existence into the final line. Hence a possible modification of the combined line is : '.... Sorry backticks and Comments #'s didnt play nice in this comment box . |
Marc-Gee
force-pushed
the
windows_Verify
branch
2 times, most recently
from
b0ece84
to
bf82ab7
Compare
|
Hi guys, |
|
Copying and pasting the snippet worked via CTRL-V and got the "OK" message. However, the Windows shortcut of right-clicking the mouse to insta-paste made a mess in the terminal and did not yield a usable script. |
|
NACK on the script approach. I'm not a Windows scripting expert at all and the vast majority of people have even less knowledge here. In Windows (in particular!!!!) we don't want people running scripts they don't understand. I feel much more comfortable with single step commands that I can execute on my own and understand what each command is doing. I'd prefer a simplified approach that is more like: ...after verifying sig file Calculate the hash of the image you downloaded: # method 1:
Get-FileHash seedsigner*.img
# Or method 2 (must specify the exact img filename)
CertUtil -hashfile type-your-img-filename-here SHA256Display the hashes contained in the .sha256 manifest file: type seedsigner*.sha256Find the hash for the image you downloaded and compare against your calculated result above. If the two values match (uppercase vs lowercase does not matter), then you know you have downloaded an authentic release image. Why add the It doesn't accept wildcards, which is annoying, but I think it's better to conform to what other major projects use for verification. |
|
How's this? Code: Example: |
|
Everytime I spend hours writing some code , Dimi is already ahead of me, on the same idea and he publishes it before me!! 🤣
I must learn to put my unfinished ideas up already, before they are perfect.....
#AlwaysLearning
I did a similar technique but used getfilehash not certutil. (because certutil is an exe, and getfilehash is a PowerShell command, so it was hard to cross that boundary/ meme space.
Well done Dimi!
Will post my own (imperfect) code later today.
Marc.
…________________________________
From: Dimi8146 ***@***.***>
Sent: Tuesday, July 4, 2023 4:38:58 AM
To: SeedSigner/seedsigner ***@***.***>
Cc: Marc G ***@***.***>; Author ***@***.***>
Subject: Re: [SeedSigner/seedsigner] Readme- Improve binary file image verification script on the Windows Platform (PR #352)
How's this?
Code:
$files = Get-ChildItem -Filter seedsigner*.img
$files | ForEach-Object { CertUtil -hashfile $_.FullName sha256}
Example:
PS C:\WINDOWS\system32> cd C:\users\dimi8146\Downloads
PS C:\users\dimi8146\Downloads> $files = Get-ChildItem -Filter seedsigner*.img
$files | ForEach-Object { CertUtil -hashfile $_.FullName sha256}
SHA256 hash of C:\users\dimi8146\Downloads\seedsigner_os.0.6.0.pi0.img:
750f406c133d17994eb58544aad82b20f1478c8663af303e45b2d9c49c4e9825
CertUtil: -hashfile command completed successfully.
SHA256 hash of C:\users\dimi8146\Downloads\seedsigner_os.0.6.0.pi02w.img:
0012ae613545eecf6ff40a17967a91f0e89d28f0db1fbafcdd371a58b237b3f2
CertUtil: -hashfile command completed successfully.
SHA256 hash of C:\users\dimi8146\Downloads\seedsigner_os.0.6.0.pi2.img:
749115b3f222f45a20a632996939afa0bb75bc0591979f5be30b0335ebd3f378
CertUtil: -hashfile command completed successfully.
SHA256 hash of C:\users\dimi8146\Downloads\seedsigner_os.0.6.0.pi4.img:
78a15b08ed163b1911320e436ea7002cb8daf49c6867fb29b4d5f94dca107cb1
CertUtil: -hashfile command completed successfully.
—
Reply to this email directly, view it on GitHub<#352 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AVYRGJJZNBC5CIA4RUH6PZLXOOF5FANCNFSM6AAAAAAV76T22Y>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
NACK on any Windows scripting dependencies ( Assume most users will download a single .img (so no need to iterate over all possible img matches). Users can visually inspect the .sha256 file to find their expected matching hash (so no need to find the matching line in that file via scripting). Simplicity. Simplicity. Simplicity. I still much prefer: #352 (comment) |
newtonick
added
documentation
|
Hi Guys, I also prefer #352 Step 2. Verifying that the software images/binaries are genuineNow that you have confirmed that you do have the real SeedSigner Project's Public Key (ie the 16 characters match) - you can return to your terminal window. Running the shasum command, is the final verification step and will confirm (via file hashing) that the software code/image files, were also not altered since publication, or even during your download process. On Linux or OSX: Run this command After entering the command, it should display: If you receive the "OK" message for your seedsigner_os.0.7.x.[Your_Pi_Model_For_Example:pi02w].img file, as shown above, then your verification is fully complete! On Windows (inside Powershell): Run this command Display the hashes contained in the .sha256 manifest file: Find the hash for the image you downloaded and compare against your calculated result above. If the two values match (uppercase vs lowercase does not matter), then you know you have downloaded an authentic release image. You can proceed to create/write your MicroSD card If your file result shows "FAILED", then you must stop here immediately. Do not continue. Contact us for assistance at the Telegram group address above. Please recognize that this process can only validate the software to the extent that the entity that first published the key is an honest actor, and their private key is not compromised or somehow being used by a malicious actor. |
|
@Marc-Gee can you take a final(?) crack at getting this updated (or have the docs already been updated to be sufficient? If so, please close this PR). |
Summary: Improvements to Binary file verification on Windows Platform:
Add new Powershell script that simulates the Linux SHASUM command , but within the Windows platform.
Rationale
The existing windows (powershell) script was not very effective and required users to manually open the Manifest file and manually check for themselves if the computed hash did equal to the expected hash.
This new (Powershell) script emulates the actions, behaviour and output of the Linux SHASUM command but on Windows. Thus it automates the task of checking that the computed and expected file hashes match exactly.
With many thanks and with credit to @Dimi8146 for his input on getting my own prior code snippets to work somewhat, his code was much more concise and used the more-correct powershell objects.
Our joint effort results in a more reliable verification experience for the windows users!
The output message matches the SHASUM Linux output for both the success and failure result.
If required, the code comments could be removed, or shortened to make the script appear shorter, but our decision thus far, was to try strike a balance between the readability and the brevity of a compressed 1-liner.