docs/security.txt, docs/nut.dict: add a chapter on checksum file veri…

…fication [#1963]
networkupstools · Jun 30, 2023 · 1d73aac · 1d73aac
1 parent 36e4769
commit 1d73aac
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 1 deletion.
diff --git a/docs/nut.dict b/docs/nut.dict
@@ -1,4 +1,4 @@
-personal_ws-1.1 en 3179 utf-8
+personal_ws-1.1 en 3185 utf-8
 AAS
 ABI
 ACFAIL
@@ -645,6 +645,7 @@ MAXPARMAKES
 MBATTCHG
 MCOL
 MCU
+MDigest
 MEC
 MEGATAEC
 MH
@@ -1586,6 +1587,7 @@ bestfort
 bestfortress
 bestuferrups
 bestups
+bfe
 bigbox
 bigone
 bigserver
@@ -1633,6 +1635,7 @@ cblimit
 ccache
 cd
 cdc
+cdf
 centos
 cerr
 certfile
@@ -1662,6 +1665,7 @@ chargermode
 chargetime
 charset
 checksum
+checksums
 chgrp
 chipset
 chkconfig
@@ -1911,6 +1915,7 @@ fallthrough
 fatalx
 faultsensitivity
 fc
+fcb
 fcntl
 fd
 fds
@@ -2751,6 +2756,7 @@ setvar's
 sfr
 sgml
 sgs
+sha
 shm
 shutdownArguments
 shutdowndebounce

diff --git a/docs/security.txt b/docs/security.txt
@@ -109,6 +109,44 @@ Maintainer notes for posterity:
 ----
 ////////
 
+How to verify the NUT source code checksum
+------------------------------------------
+
+As a weaker but simpler alternative to verifying a *signature*, you can verify
+just the accompanying checksums of the source archive file. This is useful
+primarily to check against bit-rot in original storage or in transit. As far
+as disclaimers go: ideally, you should cover all provided algorithms -- e.g.
+MD5 and SHA256 -- to minimize the chance that intentional malicious tampering
+on the wire goes undetected. A myriad tools can check that on various platforms;
+some examples follow:
+
+	# Example original checksum to compare with, from NUT website:
+	$ cat nut-2.8.0.tar.gz.sha256
+	c3e5a708da797b7c70b653d37b1206a000fcb503b85519fe4cdf6353f792bfe5  nut-2.8.0.tar.gz
+
+	# Generate checksum of downloaded archive with perl (a NUT build dependency
+	# generally, though you may have to install Digest::SHA module from CPAN):
+	$ perl -MDigest::SHA=sha256_hex -le "print sha256_hex <>" nut-2.8.0.tar.gz
+	c3e5a708da797b7c70b653d37b1206a000fcb503b85519fe4cdf6353f792bfe5
+
+	# Generate checksum of downloaded archive with openssl (another optional
+	# NUT build dependency):
+	$ openssl sha256 nut-2.8.0.tar.gz
+	SHA256(nut-2.8.0.tar.gz)= c3e5a708da797b7c70b653d37b1206a000fcb503b85519fe4cdf6353f792bfe5
+
+	# Generate checksum of downloaded archive with coreutils:
+	$ sha256sum nut-2.8.0.tar.gz
+	c3e5a708da797b7c70b653d37b1206a000fcb503b85519fe4cdf6353f792bfe5  nut-2.8.0.tar.gz
+
+	# Auto-check downloaded checksum against downloaded archive with coreutils:
+	$ sha256sum -c nut-2.8.0.tar.gz.sha256
+	nut-2.8.0.tar.gz: OK
+
+	# Generate checksum of downloaded archive with GPG:
+	$ gpg --print-md SHA256 nut-2.8.0.tar.gz
+	nut-2.8.0.tar.gz: C3E5A708 DA797B7C 70B653D3 7B1206A0
+	                  00FCB503 B85519FE 4CDF6353 F792BFE5
+
 System level privileges and ownership
 -------------------------------------