2

This question was inspired to a degree by How secure is R and RStudio?

It had a very reasonable answer and looking at the possibilities I thought a small system of R scripts (about 10 scripts) would be reasonably safe if we are reasonably sure that scripts and settings (.properties) files remain the same. So everything to be checked is plain text.

Are there existing schemes that would allow to hash/checksum the known set of script files and alert user if the checksum (say for one of the files) changes?

Could this be done and if so what are the downsides?

r0berts
  • 135
  • 5

1 Answers1

1

You might want to consider using the same approach that Ubuntu and other Linux disributions use to verify the integrity of a collection of files. A 'master file' is created which contains the names and checksum hashes of all of the files in the collection (for example, see https://releases.ubuntu.com/22.04/SHA256SUMS). Then, the master file is digitally signed by a trusted signer.

To verify the integrity of one or more of the files in the collection: first the integrity of the master file is verified, by verifying the signature on the master file using the trusted signer's public key. Then, a hash of the file in question is taken, and compared with the hash for that file in the master file to ensure that it matches.

For more information on this process, see https://ubuntu.com/tutorials/how-to-verify-ubuntu#1-overview

mti2935
  • 23,468
  • 2
  • 53
  • 73
  • Thanks @mti2935 To see if I understand correctly: I will need a way to verify the trusted signature on the master file. For that I will need to have a gpg installation and the user who would perform verification needs to know the passphrase to the key used for signing the master file? After verifying the master file process would be more automatic as for each file listed in the master file hash is taken and compared against that in the master file. Is that about right? Then my only worry is I am not sure if corp windows admins would let me install gpg4win. – r0berts Dec 08 '23 at 08:13
  • 1
    @r0berts Yes, one way of verifying the master file is to verify a digital signature on the master file made by the trusted signer, using the trusted signer's pubic key. GPG can be used to do this. Another way of verifying the master file is to use a hash instead of a digital signature. In this case, you would obtain a reference hash from the trusted signer, then take a hash of the master file, and check that it matches the reference hash. – mti2935 Dec 08 '23 at 16:00