extract is a small shell script wrapper around tar and gpg --verify which eases the use of gpg to verify downloaded executables. i wrote it after the openssh backdoor fiasco and a subsequent conversation with j-* about how to get around this.
extract is not perfect, its for a limited subset of archives. however, its got some utility for people who want to seamlessly verify their archives and the signatures.
extract is a small test tool. i want to get people thinking about how to make this process, trusted archives, more transparent.
extract smooths this procedure by:
from the usage:
usage: extract (archive) archive and archive.sig must be in the same directory.very simple.
example:
$ extract openssh-3.4p1.tar.gz-suspect *** WARNING **** signature FAILED for openssh-3.4p1.tar.gz-suspect $ extract openssh-3.4p1.tar.gz we have a good signature! let's go! openssh-3.4p1 openssh-3.4p1/contrib openssh-3.4p1/contrib/ssh-copy-id openssh-3.4p1/contrib/README snipthe first example is the trojanned openssh archive. the second is the known good one (snarfed from a UK mirror). you see it pulled a good signature and then started the extract process (via tar -zxvf).
i am seeking more related tools.
Thu Aug 1 23:47:38 EDT 2002