We Keep Coding

Integrity Checking for NPM Packages

I'm being tasked to validate the integrity of my downloads from npm by our IT/Security department. I'm a programmer and while I understand at a top level what performing a sha checksum is, I'm having trouble figuring out how to do that on my NPM packages.
I successfully performed a check on a single file download from the browser for something other than npm. NPM installs come with an "integrity" value in the "package-lock.json", but I am unsure how to use that value. For example when trying to perform this check on the D3 library which has the "integrity" value of "sha512-4PL5hHaHwX4m7Zr1UapXW23apo6pexCgdetdJ5kTmADpG/7T9Gkxw0M0tf/pjoB63ezCCm0u5UaFYy2aMt0Mcw==" I have been unable to recreate that value. I tried to create a tarball of the package folder using 7zip, and I even tried directly downloading the ".tgz" file from the "resolved" value "https://registry.npmjs.org/d3/-/d3-5.16.0.tgz" which still does not yield the right checksum.
I have used both of the following commands which both give me the same result. (e0f2f9847687c17e26ed9af551aa575b6ddaa68ea97b10a075eb5d2799139800e91bfed3f46931c34334b5ffe98e807addecc20a6d2ee54685632d9a32dd0c73)
Get-FileHash -Path C:\Path\to\d3-5.16.0.tgz -Algorithm SHA512
certutil -hashfile C:\Path\to\d3-5.16.0.tgz sha512
If anyone can walk me through what I'm doing wrong or missing it would be very appreciated.

You just missed out one step, you need to convert the result (HEX) to base64 instead.
The result you generated is in Hexadecimal (by default), unless you explicitly mention to use base64 encoding while creating the hash.
Summary:
Have your file hashed with algorithm of your choice (eg: SHA-256)
By default, it will create a hash of Hexadecimal. You need to convert it into Base64-encoded hash.
Option 1: You can generate SRI hashes from the command-line with openssl using a command invocation cat FILENAME.js | openssl dgst -sha384 -binary | openssl base64 -A
Option 2: Or with shasum
shasum -b -a 384 FILENAME.js | awk '{ print $1 }' | xxd -r -p | base64
Option 3: Use online tools.
Firstly, upload and hash your file with any online tool (I was using
this) and it should create a Hexadecimal hash output.
Then, convert your Hexadecimal hash output into Base64-encoded value. (I
was using this)
References:
W3's Subresource Integrity

Why does importing the GPG key for the mono repo fail?

When following the steps to setup mono on the following site it is failing to import the GPG key for the repo.
https://www.mono-project.com/download/stable/#download-lin-centos
This is happening on CentOS machines running both 6.x and 7.x.
rpm --import "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF"
error: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF: key 1 not an armored public key.

This appears to be due to a missing newline at the end of the key file. If you open the key with vi and save it, without making any changes (this is one way to ensure there is a newline at the end of the file), the import works.
curl -v "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF" -okey
vi key
# don't modify, just save it with ":wq"
rpm --import key
Another way to add the newline to the end of the file: https://unix.stackexchange.com/a/31955
sed -i -e '$a\' key
see https://github.com/mono/mono/issues/15955

I used this workaround to then download. See https://github.com/mono/mono/issues/16025
rpm --import https://download.mono-project.com/repo/xamarin.gpg
su -c 'curl https://download.mono-project.com/repo/centos7-stable.repo | tee /etc/yum.repos.d/mono-centos7-stable.repo’

Create a PEM from a PPK file [duplicate]

This question already has answers here:
How to convert SSH keypairs generated using PuTTYgen (Windows) into key-pairs used by ssh-agent and Keychain (Linux)
(10 answers)
Closed 3 years ago.
So there are plenty of tutorials on how to convert a PEM to a PPK using puttyGen. However my issue is that my windows machine had the only PEM copy and I converted it into a PPK and deleted it. Now I need to figure out how to convert a PPK into a PEM so that my mac can ssh into the server. I still have access to the server so I could also just make a new key if I had to, anyone know how to convert PPK to PEM?

Install PuttyTools
apt-get install putty-tools
Generate a pem file form the ppk
puttygen server.ppk -O private-openssh -o server.pem
The file server.pem file will be saved on same location

If you're on a Mac and you've previously installed Homebrew, from Terminal:
$ brew install putty
$ puttygen server.ppk -O private-openssh -o server.pem
The first command was suggested in this comment and the second from Emizen Tech's answer.

Try this to install putty-tools
sudo apt install putty-tools
puttygen key.ppk -O private-openssh -o key.pem
ssh -i ~/key.pem {user}#{ip}

First, install PuTTY for Mac using
brew install putty
Then, use the following command to convert the .ppk format private key to a standard PEM format private key:
puttygen privatekey.ppk -O private-openssh -o privatekey.pem
Make sure permissions on the private key file are set properly. It should only be readable by the user that owns it.
chmod go-rw privatekey.pem
You can now use the key for logins from scripts and command line with:
ssh -i privatekey.pem user#hostname

Keychain Working but Still must enter passphrase on first decrypt

I am using keychain to store ssh and gpg keys. When I login and start up a terminal, I get prompted for both the ssh and gpg passphrases, then keychain reports that it has found the existing agents and keys:
keychain 2.7.1 ~ http://www.funtoo.org
No other ssh-agent(s) than keychain's 2740 found running
No other gpg-agent(s) than keychain's 3301 found running
Found existing ssh-agent: 2740
Found existing gpg-agent: 3301
Known ssh key: /home/ded/.ssh/id_rsa
Known gpg key: C0A9F2F0
But if I try to decrypt a gpg file, say
$ gpg -d ~/.authinfo.gpg
I am prompted again for the gpg passphrase, but only the first time. Decrypting again, even from a new terminal works fine. This means that emacs gnus, for example, fails to connect unless I first do an manual decrypt. Very annoying.
I would like to enter the passphrases once when I login.
Here is what I have in my zshrc (also bashrc) to start-up keychain:
if [[ $- == *i* ]]; then
eval `keychain --eval id_rsa C0A9F2F0 --inherit any-once --stop others --nogui`
GPG_TTY=$(tty)
export GPG_TTY
else
# In a non-interactive script, eval keychain, but don't try to
# prompt for passphrase
eval `keychain --eval id_rsa C0A9F2F0 7BBA874D --inherit any-once --stop others --quiet --noask`
fi
Here is my ~/.gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry-curses
# Time to live for gpg keys set
# 864000 is 10 days; max set to 100 days
max-cache-ttl 8640000
default-cache-ttl 864000
max-cache-ttl-ssh 8640000
# Use gpg-agent to serve SSH keys as well
# enable-ssh-support
# default-cache-ttl-ssh 864000
log-file /home/ded/gpg-agent.log
debug 4
Any ideas?

RVM: "sha256sum nor shasum found"

I've just installed RVM on a new machine and when switching into a directory containing a .rvmrc file (which I've accepted) I'm getting:
ERROR: Neither sha256sum nor shasum found in the PATH
I'm on OS X 10.5.8. — Probably missing something somewhere. Any ideas what's going on and how to fix this?

My OpenSSL happened to not have a sha256 enc function for some reason:
$ openssl sha256
openssl:Error: 'sha256' is an invalid command.
After some googling, I found that there is an equivalent called gsha256sum that comes with the homebrew recipe "coreutils". After installing that (brew install coreutils), I had a gsha256sum binary in /usr/local/bin, so it was just a matter of symlinking it:
$ sudo ln -s /usr/local/bin/gsha256sum /usr/local/bin/sha256sum
That fixed it for me.

ciastek's answer worked for me until I tried to run rvm within a $() in a bash script - rvm couldn't see the sha256sum function. So I created a file called sha256sum with the following contents:
openssl sha256 "$#" | awk '{print $2}'
put it in ~/bin, made it executable, and added that folder to my path (and removed the function from my .bashrc).
(Many thanks to my coworker Rob for helping me find that fix.)

Means you're missing the binary in /usr/bin or your path is somehow missing /usr/bin. Open a new shell and run echo $PATH | grep '/usr/bin' and see if its returned. Also, ls -alh /usr/bin/shasum and make sure the binary is there and executable. There is no sha256sum on OS X, just shasum.

On MacOS Sierra run
$ shasum -a 256 filename
Based on #vikas027 comment just add
alias sha256sum='shasum -a 256' to your ~/.zshrc

In my opinion Leopard just doesn't have /usr/bin/shasum.
Take a look at shasum manpage - this manpage is only for Snow Leopard. Other manpages, like ls manpage (can't link to it, not enough reputation), are for previous versions of MacOS X.
Workaround: Use OpenSSL to calculate sha256 checksums.
Leopards' OpenSSL (0.9.7) doesn't handle sha256. Upgrade OpenSSL. I've used MacPorts (can't link to it, not enough reputation). OpenSSL's dependecy zlib 1.2.5 required to upgrade XCode to 3.1. Can I get Xcode for Leopard still? is helpful.
Alias sha256sum to OpenSSL and correct the way it formats an output. I've put in my .bash_profile:
function sha256sum() { openssl sha256 "$#" | awk '{print $2}'; }

I'm on a relatively fresh install of Lion (OS X 10.7.4). In my /usr/bin/ folder I had these files:
-rw-rw-rw- 35 root wheel 807B /usr/bin/shasum
-rwxr-xr-x 1 root wheel 7.5K /usr/bin/shasum5.10
-rwxr-xr-x 1 root wheel 7.5K /usr/bin/shasum5.12
I had a shasum, it just wasn't marked as executable. A quick sudo chmod a+x /usr/bin/shasum solved the issue for me.

For mac os X 10.9.5 and you profile get /usr/bin path
date +%s | shasum | base64 | head -c 32 ; echo

And if you found yourself here in 2022 wondering what works on the latest Mac (Mac OS Big Sur). Do following.
sudo brew install coreutils
sudo ln -s /usr/bin/shasum<Version_for_your_installation> /usr/local/bin/sha256sum