Cryptographic Sealing

Fingerprint can be used to ensure that a set of files has been delivered without manipulation, by creating a fingerprint and signing this with a private key. The fingerprint and associated files can later be verified using the public key.

Generating Keys

To sign fingerprints, the first step is to create a private and public key pair. This is easily achieved using OpenSSL:

-- Create a private key, which you must keep secure.
$ openssl genrsa -out private-signature.pem 2048
Generating RSA private key, 2048 bit long modulus
.............+++
........+++
e is 65537 (0x10001)

-- Create a public key, which can be used to verify sealed fingerprints.
$ openssl rsa -in private-signature.pem -pubout -out public-signature.pem
writing RSA key

Signing Fingerprints

After you have generated a fingerprint, you can sign it easily using the private key:

-- You can replace '._index.signature' and '._index.fingerprint' with whatever names you have used.
-- We assume here that you are using fingerprint -a to generate fingerprints.
$ openssl dgst -sha1 -sign private-signature.pem -out ._index.signature ._index.fingerprint

Verifying Fingerprints

You can easily verify the security of the fingerprint data:

$ openssl dgst -sha1 -verify public-signature.pem -signature ._index.signature ._index.fingerprint
Verified OK
-- Fingerprint data has been cryptographically verified

$ fingerprint -v
S 
	error.count 0
Data verified, 0 errors found.
-- File list has been checked and no errors.

As long as private key is kept secure, we can be sure that these files have not been tampered with.