#1 2019-09-13 09:50:31

MC
Member
Registered: 2012-10-04
Posts: 21

ECC File signature [updated]

Hello,

I created a file signature with ECC command line utility following the example in documentation :
https://synopse.info/files/html/Synopse … #TITLE_588

Then I opened the .sign file and modified the first char of md5 and sha256 values.

When I check file signature ECC tell signature is valid.

But I was expecting a result: invalid signature

As documentation says : "Note that you can add whatever JSON field you need to any .sign file, especially in the "meta": nested object, as soon as you don't modify the size/md5/sha256/sign values."

Am I wrong ?

Thank you

--- update ---

The ECCCommandVerifyFile command use TECCSignatureCertified.CreateFromFile which only use the "sign" field of a JSON ".sign" file.

This "sign" field calculation is based on SHA256 of the file.

So other fields in the JSON ".sign" file are present for information only.

Last edited by MC (2019-09-13 12:23:16)

Offline

#2 2019-09-13 16:56:36

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,128
Website

Re: ECC File signature [updated]

You are right.
The .sign file is not signed, so can be modified for sure.

The sha256 and md5 fields are informative only.
The "sign" field is where the signature verification is done.

Offline

Board footer

Powered by FluxBB