Sig | SHA-256+rot13 File Verification!

This is a quick proof of concept program that verifies files in order to make sure the file you downloaded is what you think it is.

Lets say Pastebin gets attacked and turns all CC scripts into a known malware for lua or CC itself (not that it would happen)
Hundreds of people download your program from Pastebin, and oh no! You now have to pay a ransom in Krist to decrypt your files!
What are you going to do now, especially since you have lots of important information on that computer! (That was entirely fictional, and probably never will happen.)

Well, before you run it, check if the author has a "sig"! Run it through the sig program, and it will say if that file has the same sig as the author provided.

Example gif:

(Note: I have fixed the bug where it doesn't find the file you gave it, but it's in the current directory. It doesn't work for
sig outputs sadly.)

Pastebin: pastebin get 2LwAy08e sig

I used SHA256 and Rot13. Don't know why, but I just did. Pass it only a file and it will generate a sig, and output it to "/out.sig" atleast for me.

Used a snippet of rot13 from GitHub, which I can no longer find, and GravityScore's SHA256 implementation. Thanks!
Yeah, probably not going to be used but oh well.

So, what you mean is, in the extraordinary case where somebody hacks pastebin and his goal was to explicitly target CC scripts to insert (CC malware?), this would allow you to verify a program against a signature posted on a forum post.
I feel like it would be easier to hack IPB and change the pastebin link + signature directly from the thread.

A few thing about this, adding rot13 in there does absolutely nothing for security, other than being more confusing.
The whole security of this really depends on how the signature is transmitted to the user, and it would be very easy to convince somebody to download a malware script with a valid signature.
GravityScore's implementation of sha256 has a bug where it produce the wrong hash with data of certain length.
I made my own implementation of it which fixes that bug, is faster and have a broader use of sha256 capabilities.

why not use md5 :D/>

Anavrins, on 26 November 2016 - 08:32 AM said:

So, what you mean is, in the extraordinary case where somebody hacks pastebin and his goal was to explicitly target CC scripts to insert (CC malware?), this would allow you to verify a program against a signature posted on a forum post.
I feel like it would be easier to hack IPB and change the pastebin link + signature directly from the thread.

A few thing about this, adding rot13 in there does absolutely nothing for security, other than being more confusing.
The whole security of this really depends on how the signature is transmitted to the user, and it would be very easy to convince somebody to download a malware script with a valid signature.
GravityScore's implementation of sha256 has a bug where it produce the wrong hash with data of certain length.
I made my own implementation of it which fixes that bug, is faster and have a broader use of sha256 capabilities.

Yeah, IPB being hacked would probably be WAYYYYY easier than Pastebin. I was only using it as an example :P/>
For about convincing somebody to download a malware script, somebody could interlace this with an antivirus? Maybe get all the sigs of known viruses as you can, put them in a database and get people to scan their downloads? It could work.

I have known about GravityScore's bug but in every case of testing (os main files, programs, HLTI images just because) It outputs the same hash of the files supplied, and there was another bug I found that for me, you cant just use sha256 again and again. You have to WAIT.
But, if I find there's alot of people complaining I probably will switch to your implementation. This program is mainly a proof-of-concept of better security. Heck, maybe somebody implements this into their OS, they could have some sort of virus protection so when you get infected, it will alert you that the OS is infected and you really should reinstall. Just a theory though.