flagyl gel side effects

How to Verify KeePass Installers Using OpenPGP File Signatures

2014 November 7
Comments Off
by r.claypool

Let’s say you have downloaded an installer, and before you run it, you’d like to prove it was packaged by a developer you trust. It’s not enough to simply go to the app’s official download page… maybe their server was hacked, maybe someone is rerouting your Internet traffic… If you really want to verify the source of this installer, PGP’s web of trust will help: Provided you have the developer’s public key and no reason to think his corresponding private key is compromised, then you can authenticate the file as his.

Since KeePass is a program to store all your passwords, it’s an installer we ought to verify! I’ll use KeepPass as an example:

  1. Here’s the official download page. The download buttons redirect to SourceForge – a popular file hosting service.
  2. Now go to the file signatures page and download your file’s corresponding key. I’m going to install KeePass-2.28-Setup.exe, so I downloaded KeePass-2.28-Setup.exe.asc
  3. Take note of the developer’s public key. This is the public identity that will be embedded in files they sign. For KeePass, the developer’s name is ‘Dominik Reichl‘ and his key fingerprint is ‘2171 BEEA D0DD 92A1 8065 5626 DCCA A5B3 FEB7 C7BC‘.

    His key looks like this:
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: GnuPG v1.4.7 (MingW32)

    mQGiBEbSjVQRBAC3IxVUWORso25
    [ blah blah blah blah ]
    NzoOW+vC+qtcam37/J/3PiWA=
    =KcOE
    -----END PGP PUBLIC KEY BLOCK-----

    … without the ‘blah blah blah’, of course!

    Here we assume that anything signed by this key was signed by the man Dominik Reichl whom we trust for KeePass installers. If that’s confusing, see Wikipedia’s web of trust.

    Encryption is not magic — it can’t tell you if someone forced Dominik to sign a malicious file. It can’t tell you that he keeps his key safe or that he is trustworthy to begin with. Encryption can only prove that this particular file was signed by someone who had access to “Dominik”‘s private key. I put his name in scare quotes because of course “Dominik” could be a pseudonym, or a group of people, etc., etc. This part of public key cryptography seems to confuse a lot of people. Anyway…

  4. The last step is to verify the file. I will use Windows PowerShell:

    PS C:\Users\techencoder\Downloads> gpg --verify .\KeePass-2.28-Setup.exe.asc .\KeePass-2.28-Setup.exe
    gpg: Signature made 10/07/14 11:11:53 Central Daylight Time using DSA key ID FEB7C7BC
    gpg: Good signature from "Dominik Reichl <dominik.reichl@gmx.de>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 2171 BEEA D0DD 92A1 8065  5626 DCCA A5B3 FEB7 C7BC
    PS C:\Users\techencoder\Downloads>

    As you can see, I’ve yet to sign Dominik’s key. WARNING: This key is not certified with a trusted signature! is just a reminder that his key is not part of my web of trust. Should I ever want to add his key, I would ask him to tell me the fingerprint in person, over the phone, or in some other offline communication. Then I can safely know that the key is owned by that person I talked to offline.

Esri Certified Web Application Developer

2014 July 10
Comments Off
by r.claypool

I’m now a certified Esri Web Application Developer for ArcGIS 10.2 (EWDA102).

Email me if you need to see the online transcript.

email_address

Public Key Encryption with OpenPGP (on Windows)

2014 April 30
Comments Off
by r.claypool

Here’s a Windows command line example for gpg message encryption.

echo "Hi John," "Here's our server admin info:" "username=admin" "password=2d!5-e9.6e8:AA~77/Vq" | gpg --encrypt --sign --armor -r john.doe@example.com --output c:\temp\message.txt

Install the open source Gpg4win to use gpg. Gpg4win is a email and file encryption package for Windows that includes the open source Gnu Privacy Guard. It implements the OpenPGP standard and is widely used to sign, verify, encrypt, and decrypt data.

Checking md5, sha1, and sha256 digests on Windows

2014 March 19
Comments Off
by r.claypool

Checking an installer’s hash/digest is a good security best practice, but Windows doesn’t have a built-in program for that. While PowerShell scripts can do these kinds of calculations, the commands are verbose and hard to remember. Enter Gpg4win…

Gpg4win is a email and file encryption package for Windows that includes the open source Gnu Privacy Guard. It implements the OpenPGP standard and is widely used to sign, verify, encrypt, and decrypt data.

--print-md is a command to calculate a hash using md5, sha1, sha256, and more:

  • gpg --print-md md5 .\setup.exe
  • gpg --print-md sha1 .\setup.exe
  • gpg --print-md sha256 .\setup.exe

Or use the * parameter to show all formats:

  • gpg --print-md * .\setup.exe

How to Add a Windows Domain User to SQL Server as ‘sysadmin’

2013 March 15
Comments Off
by r.claypool
USE master
GO
CREATE LOGIN [domain\username] FROM WINDOWS WITH DEFAULT_DATABASE = [Master]
GO
EXEC sp_addsrvrolemember @loginame=N'domain\username', @rolename=N'sysadmin'
GO

http://msdn.microsoft.com/en-us/library/ms186320.aspx

This work by Robert Claypool is licensed under a Creative Commons Attribution 3.0 United States.