a MD5 check should be a first thing - and md5 is available on gumstix - but effectively I want to protect against unauthorized updates/script execution.
My goal is to upload a signed file and use it only if it's a file made by the owner of the private key, so I only need gpg verification feature on gumstix.
I'll try to build some stuff and will share my results if someone is interested (and if I have results ;) )


On 2/2/06, Craig Hughes <craig@gumstix.com> wrote:
On Feb 2, 2006, at 4:52 AM, Jérôme Multrier wrote:

Hello !
Did anybody tried to authenticate a file on the gumstix ?
I would like to build updates for my system, that may contain scripts, so I would prefer to check if it is a valid update.
So I would like to put my public signature on the gumstix, and at boot, a script checks if there is a valid update file, then it uses it or not.

I found gnupg compiled for zaurus but i didn't tested yet : http://www.killefiz.de/zaurus/search.php?q=gnupg
another way should be to use dropbear key generating/checking stuff ..

Does anybody have ideas about that ?

Do you need a GPG signature, or would an MD5 checksum be enough?  If you're just trying to protect against incomplete downloads, etc then an MD5 check is enough.  If you're trying to protect against unauthorized updates though, then you will need to do something like the gpg signing approach.

It shouldn't be too hard to build gpg for the gumstix, I'd have thought.  Though you actually only need a tiny subset of gpg's functionality; there might be other lighter-weight more suitable apps out there.

C



--
Jérôme Multrier
TinyCoach, un projet KaliBee