Updates: Tyler on PowerHacking CSS to cutestrap your app in this latest episode!

S1E4: Pixel Embedded Digital Signatures


Digitally signing PNGs, with a hidden embedding.

Using programmatic GPG for digital signing, embedding in PNG pixelart in python. Today’s subject will be some character pixel art from the recent LuxJam entry.

Fumiko Attribution from OpenGameArt:

“created by sylvius fischer”


Transcript:

hey let's get this started
how are all you doing today this has
been quite a week hasn't it this was
this is the fourth day I think I've been
streaming there was a quick break on
Wednesday there's some fun that we'll
talk about a little bit later but this
is this is the show so we are at Episode
four and I've got the black glove ready
to go so there's gonna be some drawing
yeah it's as decent as it can go
what's up nightshade dude and thanks cam
by the way that's yeah we finally made
twitch Affiliate okay so we're gonna
talk about a bunch of things today but
let's let's just start off the the mana
bar is currently having some issues so
I'm gonna have to operate without mana
which I'm not a big fan of but you know
it's just one of those things that there
was a hosting bit of fun I'm not going
to name the provider but some very large
cloud provider decided to change things
about my hosting arrangement let's just
say they changed the Terms of Service
and they just kept putting it in just
about every browser I ever saw and the
funny catch of that is that I could no
longer push coding with some guy briefly
so that that led to a lot of interesting
things as we were getting ready for some
of the stuff this week so long story
short line ode to the rescue and I got
to have fun manually remembering how to
do SSL TLS certificates again I'm not
proud of it but you know we're we're
there in the mean time we're back up and
it broke things a little bit with the
mana bar so I'll get that fixed
for the next show but you get to watch
me put it together in the intro anyway
so these this aside you already know we
have our bots up and running today so
you can actually come join us in the
discord if you're new here or if you're
like these other dudes you already know
where it is and if you can't find that
then well I mean this is a programming
stream
so it might be might be a little tough
to follow for some of the live coding
but I'll do my best so what are we doing
today today is going to be about PKI and
specifically we're not going to we're
not going to talk about like pure public
x.509 and all that magic instead today
we're going to talk about something that
comes from an older era this is
originally stemming from a pretty good
privacy or PGP which later got built up
by canoe new however you happen to say
it into GPG which we're we're going to
be using today and we're going to be
doing that programmatically which is a
little different from how you normally
may use it so we're gonna work with that
we're gonna generate that's why I need
all those dice I mean we're gonna be
working with entropy like nobody's
business and we're going to be tracking
that entropy as we're moving around so
without further ado I think we're gonna
need to get serious with signing we're
gonna get serious we're really going to
be worried about signatures and
verification more than cryptography but
understand that the same technology is
going to work for both with some
variations if things go well we're gonna
get two pixels we're gonna be messing
around with things you probably
shouldn't do to a PNG file or but I
think we're gonna do those things so
we're gonna we're going to see how far
we get with the live coding with what we
can do in an hour so yeah but some let's
just do that
[Music]
all right well breaking stuff aside I
think that this is going to be kind of a
fun episode so we're gonna mess around
here today with GPG and we're going to
be doing that I can I can spell too it's
one of my latest talents we're gonna be
working with GPG and python and we're
gonna do a little bit with the shell
depending on how we get there and the
way we're gonna break that up color wise
is we're gonna start off just kind of
exercising the code so in in particular
this is we need to work with we need to
make a vault of sorts now this is not
the same vault that you might have seen
on the alt f4 stream if he happens to
show up and that looks more like an eye
but let's just pretend that this is like
oh yeah now it really looks like a
glowing eye so we're gonna we're going
to take this vault and this is going to
be our key trust system and we're going
to use the default stuff that works with
GPG in Python we're going to be using a
wrapper for it which is the Python new
PG module and assuming we can get all of
that working so we're gonna need some
key generation and you know then we're
gonna you know figure out how to sign
things well actually that's exactly what
we're gonna do next we're gonna figure
out how to sign things and verify them
so once we have our key and we know that
our program is able to adequately
operate on this key store then we're
actually going to take all of that and
we're gonna start working with graphics
so let's just get crazy there and we're
gonna talk about pixels and this is the
part this is going to be more of our
stretch goal because you know this this
is already kind of a lot of stuff to
cover but if we get to the pixels then
we're gonna be doing some things at
using some lesser-known parts of the PNG
file that you might not ordinarily be
doing so that's um that's kind of our
plan let's let's see what we can
actually get done as far as that goes
so today we've got our kind of standard
getting started now just just for fun I
pulled up the the docs for this just in
case we're gonna need them and I just
noticed that yeah we got seen so we've
got the scenes that's we're just getting
carried away here again so we're gonna
we're gonna operate with this for
basically all operations now basically
GPG is already installed on this system
so if i run it and you see that it does
things I think we can probably just go
yeah you don't get to do that so we can
probably is it a big V no is it a
version thing yeah okay it's cute style
so I've got this already installed and
the rest of it we're basically gonna get
so you can just you can have to install
this there's xx pretty much built into
Ubuntu by default at this point anyway
so not something you're gonna need to
worry about all right well I mean let's
you're on another operating system and
you probably know how to install g/kg
that's the case so where are we well we
had a lot of fun with the live coding
that we're setting up and that's going
to be for people who are interested in
learning different
is on stream we already have a couple
people signed up but I'm not taking any
more signatures
no more signups right now until we get
the tools sort of like flex flex to bid
we know that they work properly so we're
gonna be able to see that you can check
back in the earlier streams if you want
to see how all that got built but we
went crazy with multiplayer editors so
this is episode 4 let's let's just get
this party start all right no we're not
going to need a lot more to do this
other than you know we're just gonna
need our standard like Python
boilerplate to get going so I'm gonna
I'm gonna say that this is this is just
gonna be like digital signature
craziness so we're gonna call this dig
save because I'm diggin cigs right now
so we're gonna dig sake and get
ourselves a virtual environment and
we're basically kind of good to go there
so now I'm going to need this a few
tools in order to do this so let's we
don't want to phone we want to install
this stuff so let's get python can do PG
and that's all fine just in case we get
that far we're gonna need pillow later
as well and I think that's probably all
we're gonna need for today so let's um
yeah let's get rolling so freeport dude
please I still haven't gotten a hold of
head but so what we're gonna do is we're
gonna take this and we're gonna be able
to run digital signatures and right
that's that's all wonderful so the first
thing we're gonna need to do is we're
going to need a place to operate so for
this example I don't really have
anything in here so let's just let's
let's make art are not great vault so
let's say that our not great
well our vault is going to be in
apps for you need a full path for this
not great
now I'm gonna revoke all the keys that
you're gonna see a little bit later so
after the show said don't don't don't go
too far with with all this stuff but we
will have we're gonna operate in this
directory which doesn't exist as we can
see so not much has been done ahead now
okay so what we're going to need is
we're gonna need like a few basic things
to be able to operate easily on these
files so we're gonna be using OS and
show you it a little bit so let's use OS
or to make the directory and actually
you know what let me not put that in me
let's end it the vault so let's let's do
that instead so let's let's omit the
vault and in here we're going to make
some doors and those doors are gonna
have it's gonna be we're gonna be
focusing on the vault and because it's
GPG and you really should be using octal
which the prime agenda scuppered last
night and see would normally be
specified like say I wanted like file
permissions like this then you just do
this and see you put a zero in front of
but in Python you need the home as well
so we're gonna make that so it's only
readable writable executable by us and
we're going to know don't worry I'm not
gonna revoke all the keys nightshade
dude I'm gonna leave my key which
actually you know I'm glad you asked
because that's my fingerprint so I'm
just gonna leave that up in the corner
cuz we're feeling kind of key secrety
today so if you can well we'll get to
that a little bit later that so don't
don't worry about that QR code quite yet
alright so and then we're not gonna
worry about if this thing already exists
because we're probably gonna be running
this program and blowing away the keys
to our bunch so hey what's that back
Shea are you doing just getting started
here we're making up our vault
if we're running here we're gonna want
to blow away the vaults in case we're
reinitializing it so let's just make
sure that the vault here is not there
but just in the event that you know it's
the first time we're executing the
program and there's nothing there just
ignore the errors and that's that should
be fine so right now if we've run this
program we don't get very much other
than an error it's not ignore here rates
in your area and OS doesn't have make
dirt it has make burials and this is not
exist so we're gonna get our plural
cases wrong and that's gonna be fun
because it's live code okay so in here
let me just get this out of the way we
have a not great vault and there's
nothing in it right now but we will
reinitialize it so we can sort of run
this program as much as we want and
it'll just keep on blowing away whatever
is it I can go in here and say no don't
delete and it there it is it's no don't
delete but if we run our program I'm
sorry that's it's just not there okay so
we're ready to operate and in order to
do any of this key stuff we're gonna
need to pull in get a page so this is
the Python new PG that we just installed
so we're gonna need that and there's an
object down there which is good in PG
back jpg which handles sort of all of
your initialization and it needs a home
which is the vault that we just created
and that's basically it's gonna not
operate on my keys which are in some
directory somewhere instead it should be
operating on this little vault that we
just created so this is where we have to
start being careful about leaking key
secrets on stream but we'll see how many
times I fall for it and I'm just just in
case I'm gonna drink a little coffee to
make sure Network caffeinated okay so
alright we have this thing and we need
to be able to generate a key
in there so that's not too hard with
canoe pjc you basically just we're gonna
end up with the key no that's that's
where I got that in a moment
so the routine we're gonna need is the
Jenn key input so this is this is going
to get kind of our parameters set up for
how we want to initialize the GPG vault
so we're gonna say that our real name is
the nightshade dude okay let's let's
work with them these are a user B and
all that if I guess if we're using the
traditional applied cryptography it
should be Alice and Bob and you know all
those names but I'm not I'm not going
for that level of security on the string
yeah I know it's it's there nightshade
dude sorry about and so we're gonna need
nightshades dudes email which is
nightshade dude okay so we're gonna have
user a at example.com so let's let's
let's not hurt the innocent and we're
gonna need whatever Ganu PG password
we're gonna use so I was thinking about
this long and hard before the stream
like what what password would we want to
use live on stream and then I realized
like let's just talk about the facts
okay because Chrono Trigger is the best
game ever
so we're gonna we're gonna start with
the truth okay and from there we're
gonna move on to other things so
basically numbers station no but we're
gonna be we're gonna be generating
numbers ourselves so don't you worry
about that so I've noticed the
programmatic streams seem to do very
well it might my theory there is just
like people want something to watch and
you know life coding is hard you know so
they're just kind of cleaning up to
everybody else so this should create our
our well we've sort of configured our
key input so now we actually have to get
a key and the way we're going to get the
key is we're going to generate so no
real surprise there and we just pass
along kind of our config that we just
generated so if all goes fine you should
end up with a key now the key is has a
bunch of stuff on it but we're gonna
we're gonna talk about that at the
moment so now this starts taking a
little while because it's gonna start
hitting the high quality entropy pool
and we're gonna have to watch it now
that the thing that gets dumped out here
is excuse me this is the fingerprint for
our key so if we just wanted to be like
precise about its actually hanging off
of the fingerprint parameter so that's
the string and I could say like you know
user a fingerprint is going to be this
thing great so that just blew away the
vault and we generated a new thing a new
key and that's all fine it's going to
blow it away every single time I run
this program so that's pretty good right
that's that's our base vault code so
this this basically gets us started to
be able to sign and encrypt and
everything else that we're going to need
to do now for purposes of operating
around here we're gonna need another
user that we're gonna need to know about
so prior to this I created a user B so
we're gonna we're gonna go find our
friend here and we're just going to pull
him in because
think left it over here so think that's
right
this setup directory and some other
stuff that the episodes or an episode
before and yeah okay I did leave it over
here so I'm just gonna copy this key
over so we're gonna need that in a
little bit this is for just some user
that you found like you met in real life
this particular user is not very
creatively named he's named user B so
we'll worry about user B in a moment so
can't do you know about the no oh sorry
that's yeah I already responded that I
forget to respond yeah that's uh oh
you're talking about like the real ones
like yes yes I have actually heard of
that there was there's like one over in
like the Ukraine or somewhere yeah it's
a mystery it's been going on there's
kind of a mystery well anyway I want to
get too far that was actually a lot of
stuff to get through so right we have
our our user here now I can keep on
generating this as many times as I want
seemingly until I start running out of
injury and you're gonna notice that if I
watch so this is in Prague is random if
we go in here we have a whole bunch of
things about the current entropy pool
that's available for this program and
that's how much I have available I had
to kind of stock that pool up before we
got going today because we're gonna need
a lot of randomness so we want to keep
an eye on that so I'm gonna just over
and over again look at what's in the
entropy
so let's um let's do that all right so
so up here now at the top of the screen
we can see like how much entropy is
available at any moment now I'm gonna
just keep that permanently up there so
we're gonna resize that's too big isn't
it
so we're gonna resize this to be like
five lines okay so you can we can
actually go one line for the size of the
floor all right
so you can keep your eye up there but as
we're operating you're gonna notice this
entropy pool is going to start
diminishing
so like for example if I just blow that
away and I just start generating and
then I blow away and I said okay Wow
wait oh that's right I ran the entropy
David so we should be all right on
entropy for the rest of this show we'll
find out okay now we don't actually want
to blow our identity away every single
time we run this program we want to try
to make some progress
so and everybody on the Internet with
that fire watch five seconds in laughs
yeah does this seem like the internet
has been struggling a little bit so and
by the way nice nice icon nightshade
dude that is totally basically what I
drew before so right where we've got our
vault now in order to move around from
the vault we're actually going to need
like some stuff that we can play with so
in we we could start talking about
cryptography itself which I told you
today I'm sort of less interested in but
the first thing that we're gonna need is
let's see what it's like to deal with
multiple users so let's look let's get
user B let's let's import another key
right and this is something that would
have been passed to you in some secure
manner well we'll get to check in that
later but let's say that we want to
import this this file that i just copied
over this user bas
now you can you can generate your own
basically right here by
you know just showing it so like oh
actually I'll show you a little bit but
we're gonna operate on either bead is
and this is and what we can do here and
I'm not gonna display that one but let's
take a look at what we actually just
created so let's say that this routine
runs the first thing we do is we open
our vault and that's gonna get every
single routine we write we're gonna
start there and then we want to see like
what keys are are in there so we're just
gonna dump that out and it should only
be worn in there at the moment okay
there is so the key that I just created
for user a example so I didn't clean
that up I should I should should make
that pretty for all of you okay so my
apologies it's just one of those days so
here we have the user a key that we just
created this is us operating on the
trustor and we know what our fingerprint
is for the key that was generated now
this say we go and we send some of this
key data like to actually like get the
key data we would need to dump out the
public key material and that yeah like
that that that's sort of hidden tucked
away in a different spot we're gonna
worry too much about that that's that's
that's over here on
you're and you're exporting you know
public stuff so like we can we can
export keys
this'll actually give us an ASCII
armored version of the key that we want
so say we wanted to dump ours out and
hopefully I don't dump my own one out
but let's look let's actually do this so
because why not so let's let's go and
dump out the user a this is this was
loser a at example.com you can use any
key identifier that GPG recognizes so in
this case I'm just going to use the
email address and we're going to not
yeah we're not going to output that
other stuff so there you go there's the
public key block so this is our first
public key block great well user B went
and did exactly that before the show
good thing user B did that and we ended
up with user B's public key block so
let's go pull that into our key store so
that we can start doing some more
interesting things so GPG and this is
pretty straightforward I really like
this library that this is a wrapper and
the author did a nice job of sort of
making it as convenient as possible
given that GPG it's it's kind of like
not really the library I think I think
he's operating on the raw executable so
all we really need to do is basically
read in this key so the key file is in
this imp file so if I want to read this
thing in hard so I could say like either
B is that then I can go here and use it
the pub key I can go and import it and I
should get a result to that
let's see how today so we go and run
that and yeah we got the result object
which I think what parameters there is
only one of those like yeah okay results
so results and okay so this is great
because it basically is saying that we
pulled in this key which had a different
fingerprint because this is user B's
fingerprint allegedly and it's you know
telling us that it kind of like pulled
the thing in now it's not importing it
again because I already have it imported
because we've run this program multiple
times but if I blew the vault away and
started over again with a fresh identity
yes okay so here we're pulling in an
entirely new key now it this is good
because we managed to get an okay and we
don't have trust configured right now
because we've just pulled this thing in
but we don't really know that we can
trust it now I don't want to talk too
much about trust basically you need some
method of verifying that this
fingerprint is right so you know that
could be preferably in person and you
know they have key signing parties
there's all sorts of ways say you could
wrap it into a QR code which might be
hanging out over there you have
different ways that you can pass around
trust and you're gonna need to kind of
make an assessment based on how you got
this trust was it interfered with how
much can I trust this key that we just
pulled it I'm gonna skip that we're just
gonna pretend that we know that this is
good that this was the right fingerprint
I can tell you that you know when I
generated the thing I came up with this
fingerprint that we can go up sorry
wrong key oh yeah sorry that's the right
key right so I got this fingerprint when
I generated it earlier and we could see
that these things are you know the same
if we check them very carefully okay so
we're just gonna say like yeah let's
just trust this this user so to do that
I noticed that there were problems there
is a routine in here called trust keys
which you know pretty much gets invoked
or what you think but the problem is
that didn't work so I actually ended up
just trusting this thing you know when I
was doing prep at the command-line so I
can actually run GPG directly if I tell
it to operate on the keystore that I
just created which is not a great fault
I was working in temper earlier and I
think I need to give this a full path
actually so let's just give it a full
path and then what we need to do is we
need to edit this key so this was user B
that we just pulled in so there it is we
have user B was pulled up and we don't
really know anything about user B other
than well GPG doesn't know anything
about user B other than you know here's
some key material about like which ID it
is and you know how when it was created
and how long it's valid for whatever we
don't really know much about this user
because I made very basic keys for this
now that's great but we want to see what
the fingerprint is all right so we take
a look at the fingerprint that is
attached to the key which surprisingly
matches the fingerprint that was on the
keychain and matches the fingerprints
that I had at generation time so we
verify that we go yep that's all fine I
want to trust this key now there's a
some issues here if you don't trust it
ultimately in this case I do trust it
ultimately but you probably just want to
trust it like fully or marginally for
most uses okay so do you want to give
this ultimate trust yes okay now if I go
looking at this key let's say we just
edit this key again you'll notice that
it's been added to the trust database so
this GPG will now trust that this key
works properly that's important because
it will break your code you know get
some invalid where was it was we tell
you exactly what you're gonna get in the
event that you forget to do that and you
try doing this again oh you're gonna get
this invalid recipient it's not that the
recipients invalidates that the
recipients untrusted so the program's
just going to kind of reject
so yeah this is that's great so now we
have our own key we have our other user
and we're ready to start operate so as
far as this part goes with exercising
our code we're gonna say that we've done
this so we're actually let's let's get
more let's get more direct about that
and say that we've done this all right
so we've exercised this we know that
we're good in here and we've trusted it
and now we're ready to start signing and
verifying so this is yeah I can't draw
that like barely holding it so let's
just work here and get this thing signed
up alright so this is now we have our
other key in the store and we're gonna
stop blowing away the key every time
great
have fun nightshade dude that's might be
difficult remotely and yeah so wonderful
well turns out we should try signing and
verifying so let's let's sign and verify
something we're gonna need something to
actually verify but for now I'm just
gonna do some simple strings that are
operating in memory so we're gonna sign
and verify and what we're gonna do now
in the case of the two keys that I have
in there I have the public key from user
B and I have public and private for me
who is currently user a user a can sign
things but user bi can't sign for user B
unless I had that private key that's
kind of important because if I could
sign with their public key would have
some issues that's sort of a different
operation so we can send something to
them that we want only them to see but
we can't sign we can't pretend to be
them okay but we can be us and so to do
that let's reopen on vault and
we're going to have a very amazing
variable naming here but let's let me
just yeah okay I don't want to get too
much into that's a little bit
complicated but let's let's start with a
basic signing flow so say I want to sign
something and I can pass along there's a
variant of this which is signed file if
I want to operate on files but I want to
work in memory so I just need something
that I want to sign so nightshade dude
it's teaching a new hire so let's say
that this is something it's really
important that you all know that I
signed this all right so there's our
message nightshade dude is teaching a
new hire well that's good now we need to
know in the case that I'm signing well
actually that's it right it's going to
pick my default identity and it's gonna
say well your user a so you mean that
you want user a to sign this thing yeah
okay well let's see what we get now if I
go and run my program again now I'm
gonna be prompted for my program I don't
know if you can see that in the stream
but I'm getting a screen that's asking
me to say that Chrono Trigger best game
ever and if I type that in right I get
my signing message which is nightshade
dude is teaching a new hire and I get my
signature which is kind of neat now this
is signed with user a so how do we know
that that's fine right so let's let's
take the contents of all of this now I
could actually just write it out so
let's let's do that so that we don't
mess with it
so let's let's open first text
and this is gonna be a signed file but
look we're not gonna worry about
extensions so we're gonna write out into
this first text the contents of this
signature now GPG operates whether it's
binary or tech so it sort of assumes
that everything it's dealing with is
binary so let's let's try to keep to
that for now oh I actually need the the
payload there which is I think I can
just curse it
Thanks so if I ask it to be a string but
you know strings need to be encoded as
binary so you know I know that this is a
gasp domain yep this works so I can look
at first text and I get the proper
message and that's gonna work binary or
ASCII is I won't have to do the encode
step because it'll actually be binary I
just flipped it into bytes by doing that
so great we know how to sign now do we
know how to verify so that's gonna sign
for us now this part we can actually
just stop doing that so the thing that
we want to do next is we're gonna want
to verify so again I'm going to show you
the memory version of this first so
let's take B here which is gonna be our
our signed text I'll name the variables
a little bit better so we're gonna take
our sign text and we're gonna open it up
there's the first text again we're gonna
go with binary and we're gonna read the
whole thing in and we're gonna ask GPG
to verify this this thing so now anybody
who has the public key for user a can
verify this if they trust the key they
have for user a so this is going to give
us a verification result and
I'm gonna print that out which is
actually just an object I think yeah we
actually get the verify object so to
know that this is fine you just cast it
to a beer and it'll do the right thing
okay so actually it worked right so we
know that this signature on this file is
good we can prove that by screwing with
this file so say I go and I edit this
first text because I'm a bad person and
I want to say something that wasn't said
it's teaching a new hire okay so I've
gone and I've changed this message so I
run this thing yeah that digital
signature fails okay so our basic
operations worked fine now like I told
you there's a file version of this I
don't actually have to read the thing in
and then do it in memory that's going to
be useful in a moment but for now let's
just do let's operate on that file
directly by saying GPG verify file and
this just expects a file like object so
we'll just pass it the open so let's say
first text is binary and stick that in
the result and reality okay it's not
valid now that's because I went and I
changed the text theoretically if I get
that right to exactly where I started
the signature passes I mean even one
change here he's gonna screw this up
okay so we know that our signature stuff
works great except I don't want to leave
that in a broken state because it's
depressing so I want to see that that
signature is valid
okay good now we have signing and
verification so we're actually damn
we're cookin so that's that's pretty
solid so just because I think we're
gonna be in reach let's let's go for it
I mean that was our that was our sign
and verify so we're good I'm giving I'm
giving a nice big you know what I'm
gonna get
even crazier and I'm gonna say that I
get a green checkmark because that's
that's a pretty dark green so I'm gonna
take this green yes that's a big job all
right
well that just leaves one more thing
that we have to do and I didn't think I
was gonna get off that easy so we're
gonna have to go and do this with pixels
all right now this is where things get a
little interesting so that all worked
fine so we're gonna get to our pixel fun
and a pixel fun is going to require some
pixels to start operating so let's just
set that up and alright so we're running
that nothing really happening to do a
little bit of pixel fun we're gonna need
some pixels to operate on so back here
in our assets directory I happen to copy
Fumiko now who is famiy oh well famiy co
is kind of fun because sumiko for those
of you still have some entropy available
so we're still good to go Tomiko is a
very special sprite to me because if
you're not aware
Tomiko is the sprite that I used for the
lux gym ok so this is the character that
I was using this is off open game art
and this is the character that I was
using for the live learn of Godot when I
was participating the lux gym which was
like 24 hours and write a game from
scratch Lanna talked me into it
I hadn't worked in Godot before she's
like well when are you gonna learn you
know so no time like the present we took
from eco and we put her into a game
world now the game wasn't that fun so
I'm not going to link it here but oh
sorry about that
I totally need to get that screen
command added this is and for those
you've been here before you're gonna
realize that I do that occasionally
thank you yeah yeah let me make it
and for the bots but basically sorry
this is Himiko didn't mean to show you
the whiteboard that has the this is what
I was using in the game jam so we're
gonna take this image and we're gonna
operate on it now P and G's have kind of
a fun hidden side to them and we're
going to talk about that hidden side for
a moment because that is important for
what we're gonna do now we learned up
here sort of how to read a signature now
in this case we actually like sign the
file and we saved it in the file
now if we do that with a PNG we're gonna
make the file invalid right because it's
going to have like the signature text at
the bottom of it and that's not part of
the PNG so anything that tries to read
the PNG is probably gonna break unless
it can deal with some level of errors
but that's not a good place to store
that key so instead what we're gonna do
is we're not going to store the key in
the file itself we're gonna store it
outside this is called a detached key so
I basically am gonna start off the same
way what I'm gonna do is I'm going to
read my file in and I'm gonna get my
signature and that's pretty close to
what actually I need the GPU to do
that's pretty close to yeah this is my
signature right here so that's pretty
close to how you operate on the binary
file itself so this is going to be famiy
sine sig in this case we're gonna do a
now just like I showed you over here
with verify file there's an equivalent
sine file now if I just hand this famiy
Co
then it's actually gonna sign in the
famiy Co file which we don't want to do
so let's not do that so it this won't
actually right on to the file but the
thing that I get back is gonna have the
data of the Kimiko file with the
signature at the bottom which is not
what we want to write so let's let's
tell this system that we want to detach
the signature so in this case I have to
actually like tell it like you know that
you should need to you need to detach it
don't put it in the PNG we wanted to
operate in a separate file it doesn't
matter if I'm going to read the thing in
memory or if I'm gonna operate on the
disk same story if I want that signature
not with the binary of the thing detach
it okay great
well let's let's see what we got if we
detach it now okay this string has no
object res because you don't pass it a
string of the file you pass it the
stream that points to the file okay
that's neat I get out my signature block
and I don't get all of the binary that's
associated with the file just because
you're all special I'm going to show you
what happens if you forget to do and
let's say we didn't use the detachment
okay this what did I actually do this
there we go
yeah okay so there's my normal binary
and clean that terminal up and oh it's
in me so if I go and I run this yeah
okay that's no actually that's that's
weird I mean it before it was actually
oh I guess it's being smart now but
let's let's stay safe and do it some of
the way we're supposed to so okay so now
I'm getting binary back and I oh no it
might have actually altered the Fumiko
file
yeah that would be bad wouldn't it so
let's uh let's just take a quick look at
Tamiko versus abscess that has pixel
amiko oh no ok good it didn't yet ok so
that that's weird I don't know why that
was given that to me in the prep session
but whatever I think it was trouble yeah
I'm not really sure oh maybe because I
passed along as file yeah I mean if I I
was operating on the thing as binary but
then I realized I got it's better to
just operate on the file directly ok so
we have our signature and we're good now
we need a place to put this signature so
if I just append it to the end of the
file which would be bad then we would
you know create are invalid files so
instead let's let's let's go to our
imaging library so for imaging we're
gonna pull in the Pattillo and we're
gonna need image but we're also going to
need the much lesser known piece which
is I think I think actually if I just
pull in pill we're probably all right
with that but he'll dot PNG image plugin
so pill by itself can operate on a PNG
file but if you want to go messing
around with things that are specific to
the file format you're gonna need the
actual image plug-in itself so let's
yeah let's let's do that now what I want
to do first is we're gonna actually read
this file so in the case of just because
I want to prove to you there's nothing
in there so if I go and I say pill Dada
image open and I specified that this is
Sumiko dot PNG so this should be
unaltered then I'm gonna get an image
all right now if I print out the info
tag which corresponds to the I text
chunk in the PNG I'm gonna get it's sort
of like exif data I'm gonna get a little
bit of information about the picture and
that's right now it's just telling me
that the DPI is 72 72 now what's cool
about that is it's not
actually exit data so I can go and
doctor this thing so let's say for
example that I want to like right over
it so this I don't think I can operate
yeah now you're not allowed to change
the the object so this is probably gonna
just shallow clone it which is not
really what we want so let's well just
because you know hey we might get lucky
let's let's go and take this thing and
we're gonna add a I text chunk so this
is just in case you're curious this is
the chunk in a PNG okay so this I text
chunk here it is header and if I look at
I text then I can see that I can stuff
some extra textual information in the
PNG file pill allows us to operate on
this so we can say like you know some
stuff as the key and then we have to
give it a value so there are some things
okay great
this isn't actually going to save them
because I'm actually going to have to
specify that except it's probably not
gonna let me operate on the raw info
object yeah you're not allowed to
operate because this is actually just a
dictionary it's not I've lost the object
itself so if I want to actually make my
own then I need to do this PNG image
plug-in and I need to get a PNG info
record so this is what I'm actually
gonna doctor and I'm gonna take this
thing now I could copy over the keys
that are there I'm not worried about
preserving the metadata at the moment
but that would be important in general
so if I go and I add text to this thing
so we don't need to do it to the image
we're gonna instead add it to our info
object that okay PNG image plug-in is
no because it's pad right pill PNG in
okay there we go
okay so we're not gonna we're gonna stop
showing this old signature and right we
see right now that we don't have
anything really from the image it's
there's nothing in there but I've
created a new object that has what I'm
gonna need in there so I can actually go
and iterate all these keys and have them
back but we're not gonna worry about
that for now because clock's ticking so
let's go and actually save this thing so
saving an image pretty easy we're just
gonna need a different version of it so
we're gonna call this signed because
that's where we're heading with it and
we're gonna say that this has to be a
PNG so don't try to do the file magic on
there and we can say the PNG this has
like kind of a hidden parameter if
you're working on the PNG which is the
PNG info I can say use this PNG info on
the fall great now I get a new file here
which seems to be just about the same
except it isn't right you'll see that
this is just slightly bigger and the
difference between those two if I open
up the other one is that
Kumiko sign actually has now I'm gonna
here I'm printing out what's in there so
let's let's not do these things for the
moment
okay so right here now we see that
there's actually some stuff embedded in
there which is pretty cool what do we
want to embed in there our signature
so let's get it so here I have a way of
adding text directly to the file so if I
go and I add myself a new key say
cig right then this I don't want to work
on the signs one anymore wanna work on
the original and we're gonna overwrite
the signed one then all I need to do is
just figure out whatever signature I
want to embed in here so this would be
the Fumiko cig now I have to actually
calculate that cig it comes to me
basically the same way that we just did
up here oh I already have it done
look at me main things consistently so
here we open the file and we generated
the cig here we're actually taking the
cig and we're sticking it in this sig
text object like signature we can spend
a few more bites right all right so
cheap and we're gonna write that out
here so dope yeah sign doesn't have
anything called it code so that's
because this is actually binary except
we know that the signatures are always
going to be ASCII armored so it's it's
fine you're gonna keep in you can decode
this thing because we know it's asking
because it's just the signature part Oh
sign object right I actually have to
cast it now I don't need it because it's
already cast and it does the work for me
great okay so this was the old you know
info that was in there but now if I load
up the signed version and I don't edit
it so I'm not gonna save over it there
we go
embedded signature inside the image and
it's just hiding there in plain sight so
I've got my Niko signed which is now a
little bit bigger and I shouldn't have
changed the file for the viewer so if I
come back here to my browser there it is
to actually verify the signatures a
little bit more work the thing that we
are kind of playing a little fast and
loose with is the fact that writing out
this PNG file again so I took this PNG I
read it in in in image sorry not an
image patch chicken pillow and I then
went and doctored the table and I added
the signature to it and then I wrote it
back out but the problem is that it's
not exactly one to one it's not add
impotant in this case because famiy Co
if I took from Niko and I wrote Fumiko
directly out with no modifications it
would probably be different
unless this author was using exactly the
same version then that's gonna be
problematic so this signature that I
signed which was signed against the
original binary is gonna cause trouble
so to fix that I would have had to like
pre encode it with pill and make sure
that I get exactly one to one for my
output except now it has the signature
attached to it so verifying the
signature would just be pulling the file
open removing the signature and checking
that against to make sure that it
matches so there you go we have a file
that we can send with a buried signature
for user a tool analog so I
thank you for tuning in thank you for
checking it all out I'm gonna go and
give myself another check because it's
just that kind of day and ya come by for
the free code sessions where things are
less prepped and come by for the the
learn sessions there's also going to be
there's a few sub segments that are
gonna happen so this is just our regular
Friday segment where it's it's more
about like you know doing our typical
you know can like compact sessions right
so this is about like you know can we
give you something dense in an hour but
in the case of the other sessions
they're they're more like two or three
hours they're a little more you know I
assume people have time who are coming
to check it out and that's um yeah you
know feel free to see what you want to
see so anyway
come join us on the disk or we can chat
I have a just for anybody tuning in late
there's the discord so you know the some
bot is in there as well and has a whole
bunch of commands that'll tell you like
you know what kind of keyboard it is and
all sorts other fun stuff so real fast
any questions everyone no questions
yeah that's exactly the idea cam so Oh
actually I see that Lana's on so we
could actually probably drop in on her
and tell her that we have a special
picture for I don't want to let's not
drop it in chat everybody but yeah let's
uh let's go do that let's go let's go
visit Lana so thanks everybody for
sticking around for checking out the
raid if you're gonna stick around for
that and yeah thanks for coming and
there's all sorts of fun little things
that you can do with this which I'm not
gonna go into too much detail so I'm
gonna go back next week we're going to
get the rest of the dev tools ready to
be able to do live lessons on the stream
so we'll have the CSG live show should
hopefully be it might be a little too
early next week but coming up soon and
then after that yeah I mean we got we
got games too right we got more fun to
do and I'm going to get the season
schedule out at some point
so we'll get to all that but anyway
thank you very much for your time and
have a good day and let's go check out