[Catalog-sig] Mirror authenticity

"Martin v. Löwis" martin at v.loewis.de
Sun Mar 29 14:07:39 CEST 2009

> Are you sure?  Doesn't the "dgst" message digest sub-command do what you're
> looking for, given a DSA public/private key pair?
>    openssl dgst -sign private-key-file -out signature-file <file-to-verify
>    openssl dgst -verify public-key-file -signature signature-file <file-to-verify

Interesting - I missed that. However, I can't get it to work, either:

$ openssl dgst -sign privkey -sha1 /etc/passwd
Error Signing Data
5216:error:0606B06E:digital envelope routines:EVP_SignFinal:wrong public
key type:p_sign.c:103:

where privkey is a PEM "DSA PRIVATE KEY". I'm puzzled about the error
message - *of course* I'm not passing a public key. This is with Apple's
openssl 0.9.7l.

In any case, I have now completed a mixed M2Crypto/pure-python signature
verification procedure, so I don't need to rely on an openssl binary
(which typically wouldn't be available on Windows, anyway). If you are
curious, please review the attached code. The __main__ should actually
work for the live pypi.python.org; the server key is in /serverkey.


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: verify.py
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20090329/f33f2d6a/attachment.txt>

More information about the Catalog-SIG mailing list