Difference between revisions of "Verifying a Signed Export"

[unchecked revision][checked revision]
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
It is possible to digitally sign an export of archived messages to the file system when as EML or MSG format is used. This helps to ensure integrity of each exported email while it resides outside of the archive. A SHA256 hash of the public key, that can be used to verify the signatures, is stored in the archive's temper proof audit log.
+
It is possible to digitally sign an export of archived messages to the file system if the EML or MSG format is used. This helps to ensure the integrity of each exported email while it resides outside of the archive. A SHA256 hash of the public key that can be used to verify the signatures is stored in the archive's tamper proof audit log.
  
To verify the integrity of a signed export, the use of OpenSSL is recommended. This needs to be installed on the computer where verification takes place in order to run the following commands.
+
== Prerequisites ==
 +
To verify the integrity of a signed export, the use of OpenSSL or LibreSSL is recommended. Follow the instructions below, if OpenSSL or LibreSSL is not yet installed on the computer where the verification should take place.
 +
 
 +
=== Linux or MacOS ===
 +
Use the built-in package management to install the latest version of OpenSSL or LibreSSL.
 +
 
 +
=== Windows ===
 +
The LibreSSL project provides Windows binaries. Download the most recent available version from https://www.libressl.org and extract it to your local disk.
 +
 
 +
It is recommended to add the location containing the the <tt>openssl.exe</tt> executable to your system's PATH variable. Otherwise update the PATH variable for a running PowerShell instance with the following command prior to executing the commands below:
 +
 
 +
<source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">
 +
  env:Path += ";C:\PATH_TO_OPENSSL_EXECUTABLE"
 +
</source>
  
 
== Create Hash of Public Key ==
 
== Create Hash of Public Key ==
Line 11: Line 24:
  
 
== Verify All Emails ==
 
== Verify All Emails ==
The following one-liners can be used to verify a signed export including all subdirectories.
+
The following one-liners can be used to verify a signed export including all subdirectories. The commands are to be executed inside the export's target directory.
  
 
=== Linux or MacOS ===
 
=== Linux or MacOS ===
Line 20: Line 33:
 
=== Windows (PowerShell) ===
 
=== Windows (PowerShell) ===
 
<source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">
 
<source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">
   ls -r *.eml | ForEach-Object { $file_sig = ($_.FullName) + '.sig';  $file_eml = $_.FullName; openssl.exe dgst -sha256 -verify publickey.pem -signature  "$file_sig" "$file_eml" }
+
   ls -r *.eml | ForEach-Object { $file_sig = ($_.FullName) + '.sig';  $file_eml = $_.FullName; Write-Host -NoNewLine ($_.Basename) `t": " ; openssl.exe dgst -sha256 -verify publickey.pem -signature  "$file_sig" "$file_eml" }
 
</source>
 
</source>
 +
 +
[[de:Verifizieren_eines_signierten_Exports]]
 +
[[en:Verifying_a_Signed_Export]]

Latest revision as of 13:00, 23 October 2017

It is possible to digitally sign an export of archived messages to the file system if the EML or MSG format is used. This helps to ensure the integrity of each exported email while it resides outside of the archive. A SHA256 hash of the public key that can be used to verify the signatures is stored in the archive's tamper proof audit log.

Prerequisites

To verify the integrity of a signed export, the use of OpenSSL or LibreSSL is recommended. Follow the instructions below, if OpenSSL or LibreSSL is not yet installed on the computer where the verification should take place.

Linux or MacOS

Use the built-in package management to install the latest version of OpenSSL or LibreSSL.

Windows

The LibreSSL project provides Windows binaries. Download the most recent available version from https://www.libressl.org and extract it to your local disk.

It is recommended to add the location containing the the openssl.exe executable to your system's PATH variable. Otherwise update the PATH variable for a running PowerShell instance with the following command prior to executing the commands below:

  env:Path += ";C:\PATH_TO_OPENSSL_EXECUTABLE"

Create Hash of Public Key

The following command generates a SHA256 hash of the public key in order to verify it against the hash recorded in MailStore's Audit Log.

  openssl dgst -sha256 -hex publickey.pem

Verify All Emails

The following one-liners can be used to verify a signed export including all subdirectories. The commands are to be executed inside the export's target directory.

Linux or MacOS

  find . -name '*.eml' -exec openssl dgst -sha256 -verify publickey.pem -signature \{}.sig \{} \;

Windows (PowerShell)

  ls -r *.eml | ForEach-Object { $file_sig = ($_.FullName) + '.sig';  $file_eml = $_.FullName; Write-Host -NoNewLine ($_.Basename) `t": " ; openssl.exe dgst -sha256 -verify publickey.pem -signature  "$file_sig" "$file_eml" }