Script to check integrity of file against hash found from Apostille

Technical Discussion
#1

Hi everyone,

[post edited 15.5.2017]

I created a small bash script to check integrity of files against hash found from Apostille. “.sig” files in e.g. http://bob.nem.ninja contain “txId” parameter that can be used to fetch cryptographic hash from Apostille (placed in NEM blockchain).

I downloaded today morning nis-ncc from bob and decided that I want to verify the signature. Unfortunately gpg told that .sig file does not contain anything that can be validated file with. Well, this led to investigation and I found a forum thread in which @rb2 and @filchef was pondering the same thing. From that thread I got some clues (cryptographic hashes are now moved to apostille) and I wrote general script that checks a file and signature file pair against hash found from NEM blockchain (apostille?).

Anyways, I am open to suggestions and improvements if anyone has anything to suggest.

Thread that inspired me is:

Script (checkIntegrityAgainstApostille.sh) can be found from:
https://github.com/whatilike/NemToolsLinux

So, if anyone downloads e.g. nis-ncc-0.6.87.tgz and nis-ncc-0.6.87.tgz.sig and wants to check that SHA256 hash is actually same than referenced in .sig file, you just need to run script with the filename “./checkIntegrityAgainstApostille.sh nis-ncc-0.6.87.tgz”.

Hmm, maybe I should write a powershell script also to do the same thing.

PS. I am new to this NEM thing, please forgive me any technical incorrectness in any subject :slight_smile:

br,
SCF

1 Like
#2

Hi,

Cool but it is not signature verification here, it is integrity verification :slight_smile:

You compare the SHA256 hash of the file with the SHA256 hash on the chain.

It is enough to audit SHA256 public Apostilles but won’t work for other hashing methods or if hash is signed.

Here is an actual NEM signature verifier: https://github.com/QuantumMechanics/NEM-sdk/blob/master/src/crypto/keyPair.js#L105

It takes a signer public key, the original data (file hash) and the signature (signed file hash).

If you want to handle all Apostilles: https://github.com/QuantumMechanics/NEM-sdk/blob/master/src/model/apostille.js#L171 can guide you

2 Likes
#3

Thank you @Quantum_Mechanics for valuable input! I changed the script name and modified the script so that it can use MD5, SHA1 or SHA256 to check integrity of file.

I will see if it is feasible to add checking of signed hashes later.

#4

Would you happen to have a txId to Apostille entry that is signed?

#5

What has been added to .sig messages that are used to verify e.g. nis?

For nis-ncc-0.6.87.tgz the message in blockchain is:
4e5459031168167aacc0a4e7c7ebd5ae4162e8a841ba4e64a5bba197f5147ef6119d5e76
that can be broken to: header + sha256 hash

For nis-0.6.95.tgz the message in blockchain is:
4e5459037fc83b72cebdebe1a1a5002b278dd6265314b0db03434f69f6a2c006cea66f690000626f622e6e656d2e6e696e6a612f696e7374616c6c65722f6e69732d302e362e39352e74677a
that can be broken to: header + sha256 hash + (I have no idea what the rest is).

What has been added after sha256 hash?

I tried to check Apostille whitepaper to figure out if it was signed hash but headers indicate otherwise and the string after header is not 128 characters long (as it is supposed to be if it is signed).

#6

@BloodyRookie, @Quantum_Mechanics do you know answer for question above?

#7

two null bytes followed by hex encodes URI:
bob.nem.ninja/installer/nis-0.6.95.tgz

same can be found here:
http://chain.nem.ninja/#/transfer/07182df936de4d560ff8bf1f9979480f2fc604e065a4ca74ba4c402619317c81
000068747470733a2f2f747769747465722e636f6d2f4e434f534947494d434954594e5245

in this case encoded uri is:
https://twitter.com/NCOSIGIMCITYNRE - unfortunatelly twitter did not let me use full address as a handle :slightly_frowning_face:

#8

Thank you @gimre and @CryptoBeliever !

I updated my script and uploaded fresh version to github. Script now supports:

  • Hashes from MD5, SHA1, SHA256 and SHA3
  • messages within Apostille hash

Still not supported:

  • signed hashes

If you have suggestions or anything, please don’t hesitate to tell.

Can anyone point me to Apostille hash that is signed?

2 Likes
#9

hi I used the examples to create an apostille and audit it, the example works perfect, but now I have modified it by putting it on a node server and I’m trying to add an image, it returns me a succes when creating it but at the time of auditing it it says it is invalid , can you help me please?

this is my code:

let endpoint = nem.model.objects.create("endpoint")(nem.model.nodes.defaultTestnet, nem.model.nodes.defaultPort);

let common = nem.model.objects.create("common")("","mykey");

function createApostille(request,response){

	const file = request.file;

    if (!request.file) {
        response.status(400).send({ code: 400, description: 'No se proporcionó un archivo' });
        return;
	}
	
	var fileContent = nem.crypto.js.enc.Utf8.parse(file.buffer);

	var apostille = nem.model.apostille.create(common, "mariposa.png", fileContent, "imagen", nem.model.apostille.hashing["SHA256"], false, "", true, nem.model.network.data.testnet.id);

	nem.model.transactions.send(common, apostille.transaction, endpoint)
	.then(function(res){
		if (res.code >= 2) {
			console.error(res.message);
			response.status(500).send(res.message);
		} else {
			console.log("\nTransaction: " + res.message);
			console.log("\nCreate a file with the fileContent text and name it:\n" + apostille.data.file.name.replace(/\.[^/.]+$/, "") + " -- Apostille TX " + res.transactionHash.data + " -- Date DD/MM/YYYY" + "." + apostille.data.file.name.split('.').pop());
			console.log("When transaction is confirmed the file should audit successfully in Nano");
			console.log("\nYou can also take the following hash: " + res.transactionHash.data + " and put it into the audit.js example");
			response.send(res);
		}
	})
	.catch(function (err) {
		console.log(err);
		response.status(500).send(err);
	});
}
1 Like