WO2022222437A1 - Script verification method, script signing method, and computing device - Google Patents

Script verification method, script signing method, and computing device Download PDF

Info

Publication number
WO2022222437A1
WO2022222437A1 PCT/CN2021/129672 CN2021129672W WO2022222437A1 WO 2022222437 A1 WO2022222437 A1 WO 2022222437A1 CN 2021129672 W CN2021129672 W CN 2021129672W WO 2022222437 A1 WO2022222437 A1 WO 2022222437A1
Authority
WO
WIPO (PCT)
Prior art keywords
script
file
script file
signature
verification
Prior art date
Application number
PCT/CN2021/129672
Other languages
French (fr)
Chinese (zh)
Inventor
张亚
邵应坚
Original Assignee
统信软件技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 统信软件技术有限公司 filed Critical 统信软件技术有限公司
Publication of WO2022222437A1 publication Critical patent/WO2022222437A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/30Creation or generation of source code
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Definitions

  • the present invention relates to the technical field of script signature, in particular to a script verification method, a script signature method and a computing device.
  • the script is easy to develop, does not need to be compiled, can be run directly, and is widely used in the Linux operating system.
  • Commonly used scripts in Linux operating systems include shell, python, perl, lua, rubby, etc.
  • the script currently only checks the execution user, executable permission and root account when executing the script, which lacks an effective security mechanism.
  • For system environments with high security requirements such as banks and enterprises, it is very important to ensure the security and credibility of scripts when running scripts.
  • the present invention provides a script verification method and a script signature method to try to solve or at least alleviate the above problems.
  • a script verification method which is executed in an operating system and includes the steps of: executing a script file; judging whether the script file is a script file to be verified; if it is a script file to be verified, obtaining based on the script file script file path, and write the script file path into the character device file; read the character device file to obtain the script file to be verified based on the script file path in the character device file; and perform signature verification on the script file to be verified, if the verification is successful, Then continue to execute the script file.
  • the step of judging whether the script file is the script file to be verified includes: acquiring the script interpreter parameters in the script file, and determining whether the script interpreter parameter specifies whether the script interpreter is a predetermined script interpreter. ; If it is a predetermined script interpreter, determine that the script file is the script file to be verified.
  • the script verification method also includes the steps of: if the script interpreter parameter is not obtained, then obtain the script file parameter, and judge whether the file specified by the script file parameter is an elf file or a java file; if not elf file or java file, it is determined that the script file is the script file to be verified.
  • the script verification method according to the present invention further includes the step of: if the signature verification fails, terminating the execution of the script file, and generating a signature verification failure message to display on the interface.
  • the method further includes the step of: writing the verification result into the character device file.
  • performing signature verification on the script file includes: calling the script verification method to perform signature verification on the script file.
  • the step of performing signature verification on the script file includes: acquiring annotation information from the end of the script file, and acquiring signature data based on the annotation information; acquiring script content in the script file;
  • the digest algorithm calculates the first digest of the script content; decrypts the signature data based on the signature certificate to generate the second digest; compares whether the first digest and the second digest are the same, if they are the same, the verification is successful.
  • the step of decrypting the signature data based on the signature certificate includes: converting the signature data into signature information of a predetermined structure; verifying the signature certificate in order to verify the script The identity of the issuer of the file; the signature information is decrypted based on the signature certificate, and a second digest is generated.
  • a script signature method executed in a computing device, comprising the steps of: acquiring script content in a script file; calculating a digest of the script content based on a digest algorithm; performing signature, generating signature information, and converting the signature information into signature data; and adding the signature data to the end of the script file based on an annotation method to serve as the annotation information of the script file.
  • a computing device comprising: at least one processor; and a memory storing program instructions, wherein the program instructions are configured to be adapted to be executed by the at least one processor, the The program instructions include instructions for performing the method as described above.
  • a readable storage medium storing program instructions, which when read and executed by a computing device, cause the computing device to perform the method as described above.
  • a script signature method and a script verification method are provided.
  • developers can sign script files in multiple languages under the Linux system, and add the signature data to the script in the form of comments.
  • the signature data is stored in the signed script file as comment information, and it is not easy to lose.
  • the computing device determines whether the script needs to be verified by executing the script verification method, and verifies the signature data in the signed script file that needs to be verified, and can continue to run the script only after the verification is passed. In this way, the security of the script runtime can be fully guaranteed.
  • FIG. 1 shows a schematic diagram of a computing device 100 according to an embodiment of the present invention
  • FIG. 2 shows a flowchart of a script signature method 200 according to an embodiment of the present invention
  • FIG. 3 shows a flowchart of a script verification method 300 according to an embodiment of the present invention.
  • FIG. 4 shows a sequence diagram of a script verification method 300 according to an embodiment of the present invention.
  • the script signature method 200 and the script verification method 300 in the present invention are suitable for execution in a computing device.
  • the computing device performs developer signature on the script file by executing the script signing method 200, and adds the signature data to the script file in the form of comments.
  • the computing device verifies the signature data in the script file by executing the script verification method 300 .
  • FIG. 1 shows a schematic diagram of a computing device 100 according to one embodiment of the present invention.
  • computing device 100 typically includes system memory 106 and one or more processors 104 .
  • the memory bus 108 may be used for communication between the processor 104 and the system memory 106 .
  • the processor 104 may be any type of process including, but not limited to, a microprocessor (UP), a microcontroller (UC), a digital information processor (DSP), or any combination thereof.
  • Processor 104 may include one or more levels of cache, such as L1 cache 110 and L2 cache 112 , processor core 114 , and registers 116 .
  • Exemplary processor cores 114 may include arithmetic logic units (ALUs), floating point units (FPUs), digital signal processing cores (DSP cores), or any combination thereof.
  • the exemplary memory controller 118 may be used with the processor 104 , or in some implementations, the memory controller 118 may be an internal part of the processor 104 .
  • system memory 106 may be any type of memory including, but not limited to, volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof.
  • System memory 106 may include operating system 120 , one or more applications 122 , and program data 124 .
  • applications 122 may be arranged to execute instructions using program data 124 by one or more processors 104 on an operating system.
  • Computing device 100 also includes storage device 132 including removable storage 136 and non-removable storage 138 .
  • Computing device 100 may also include a storage interface bus 134 .
  • Storage interface bus 134 enables communication from storage devices 132 (eg, removable storage 136 and non-removable storage 138 ) to base configuration 102 via bus/interface controller 130 .
  • Operating system 120, applications 122, and at least a portion of data 124 may be stored on removable storage 136 and/or non-removable storage 138, and via the storage interface bus when computing device 100 is powered on or applications 122 are to be executed 134 is loaded into system memory 106 and executed by one or more processors 104 .
  • Computing device 100 may also include an interface bus 140 that facilitates communication from various interface devices (eg, output device 142 , peripheral interface 144 , and communication device 146 ) to base configuration 102 via bus/interface controller 130 .
  • Example output devices 142 include graphics processing unit 148 and audio processing unit 150 . They may be configured to facilitate communication via one or more A/V ports 152 with various external devices such as displays or speakers.
  • Example peripheral interfaces 144 may include serial interface controller 154 and parallel interface controller 156, which may be configured to facilitate communication via one or more I/O ports 158 and input devices such as keyboard, mouse, pen , voice input devices, touch input devices) or other peripherals (eg printers, scanners, etc.)
  • the example communication device 146 may include a network controller 160 that may be arranged to facilitate communication via one or more communication ports 164 with one or more other computing devices 162 over a network communication link.
  • a network communication link may be one example of a communication medium.
  • Communication media may typically embody computer readable instructions, data structures, program modules in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media.
  • a "modulated data signal" may be a signal in which one or more of its data sets or whose changes may be made in the signal in a manner that encodes information.
  • communication media may include wired media, such as wired or leased line networks, and various wireless media, such as acoustic, radio frequency (RF), microwave, infrared (IR), or other wireless media.
  • RF radio frequency
  • IR infrared
  • the term computer readable medium as used herein may include both storage media and communication media.
  • Computing device 100 may be implemented as a personal computer including a desktop computer and a notebook computer configuration.
  • computing device 100 may also be implemented as part of a small form factor portable (or mobile) electronic device such as a cellular telephone, digital camera, personal digital assistant (PDA), personal media player device, wireless web browsing device , personal headsets, application-specific devices, or hybrid devices that can include any of the above.
  • PDA personal digital assistant
  • It can even be implemented as a server, such as a file server, database server, application server, and WEB server. The embodiments of the present invention do not limit this.
  • the computing device 100 is configured to perform the script signing method 200 according to the present invention.
  • the application 122 of the computing device 100 includes a plurality of program instructions for executing the script signature method 200 of the present invention, and these program instructions can be read and executed by the computing device 100, so that the computing device 100 can execute the script signature according to the present invention.
  • the method 200 is to developer-sign the script file.
  • the computing device 100 is configured to execute the script verification method 300 according to the present invention.
  • the operating system 120 of the computing device 100 contains a plurality of program instructions for executing the script verification method 300 of the present invention, and these program instructions can be read and executed by the computing device 100, so that the operating system executes the script verification method according to the present invention
  • the method 300 is to verify the signed script file.
  • the computing device 100 signs the script file by executing the script signature method 200, and adds the signature data to the end of the script file in the form of comments , so that the signature data is saved in the signed script file as comment information.
  • the operating system of the computing device 100 verifies the signature data in the script file by executing the script verification method 300 .
  • FIG. 2 shows a flowchart of a script signing method 200 according to an embodiment of the present invention.
  • the method 200 is suitable for execution in a computing device, such as the aforementioned computing device 100 .
  • script signature method 200 is suitable for developer signatures for script files in multiple languages under the Linux system.
  • the present invention is not limited to a specific script language.
  • step S210 the script content in the script file is obtained.
  • a digest of the script content is calculated based on a digest algorithm. That is to say, the digest is calculated for the script content based on the digest algorithm, and the digest is also the digest of the script file.
  • the digest algorithm is, for example, a message digest algorithm.
  • step S220 when obtaining the script content in the script file, blank lines and comment lines are ignored. In this way, when calculating the summary of the script file in step S220, the summary is calculated based on the content of the script after removing blank lines and comment lines.
  • step S230 signature calculation is performed on the digest based on the private key and the signature algorithm, signature information is generated, and signature data is generated after format conversion of the signature information.
  • the signature information obtained by calculating the signature on the digest is a structure conforming to the pkcs#7 standard, and the signature data in pem format is obtained after format conversion of the signature information conforming to the pkcs#7 standard. It should be noted that the present invention is not limited to the specific format of the signature information.
  • step S240 the signature data in pem format is added to the end of the script file based on the annotation method, as the annotation information of the script file.
  • the signature data generated after signing the content of the script file according to the method 200 of the present invention is stored in the signed script file as comment information, which avoids the problem of easy loss of the scheme of separately saving the signature file.
  • the script signature method 200 and the corresponding script verification method 300 of the present invention are both applicable to script files in multiple languages under the Linux system.
  • the present invention does not specifically limit the script language of the script file.
  • the script file may be implemented as a Shell script, a Python script, a Perl script, a Lua script, a Rubby script, etc., but is not limited thereto.
  • the script signature method 200 and the script verification method 300 of the present invention are described in detail by taking a shell script as an example.
  • FIG. 3 shows a flowchart of a script verification method 300 according to an embodiment of the present invention.
  • the method 300 is suitable for execution in an operating system of a computing device, such as the aforementioned computing device 100 .
  • step S310 the script file is executed.
  • one or more kinds of script files can be executed in the Linux system, such as executing Shell script, Python script, Perl script, Lua script, Rubby script, and not limited to these script files.
  • step S320 it is determined whether the script file is a script file to be verified. That is, when executing the script file, it is determined whether the script file is the script file to be verified.
  • the script file to be verified is, for example, a script file that is signed based on the aforementioned script signature method 200.
  • the computing device 100 will verify the script file according to the script verification method 300 of the present invention.
  • the signature data of the signed script file is verified.
  • the script file to be verified after being signed based on the script signature method 200 may be one or more of a Shell script, a Python script, a Perl script, a Lua script, and a Rubby script.
  • whether the script file is a script file to be verified can be determined according to the following steps:
  • the predetermined script interpreter includes one or more script interpreters suitable for parsing and executing the corresponding script file, such as a shell script interpreter, which matches with one or more script files signed based on the script signature method 200 . bash. It should be noted that the predetermined script interpreter may include one or more types of script interpreters, and the present invention is not limited to the specific kind of the predetermined script interpreter.
  • the script interpreter parameter is the first parameter that is the first line of the script file.
  • the script file is the script file to be verified, that is, the script file signed based on the script signature method 200 . If the specified script interpreter is not the predetermined script interpreter, it is determined that the script file is not the script file to be verified.
  • the script file parameter is further obtained, and it is judged whether the file specified by the script file parameter (the script file itself) is an elf file or a java file. If the file specified by the script file parameter is not an elf file or a java file, it is also determined that the script file is the script file to be verified. On the contrary, if the file specified by the script file parameter is an elf file or a java file, it is determined that the script file is not the script file to be verified, and the script file is no longer verified based on the method 300 .
  • one or more parameters included in the script file are obtained in advance based on the search_binary_handler function of the kernel module. In this way, from all the obtained parameters, parameters corresponding to the script interpreter, parameters corresponding to the script file itself, parameters corresponding to the script file path, and the like can be obtained.
  • step S320 if it is determined that the script file is the script file to be verified, step S330 is executed.
  • step S330 the current script file to be verified is blocked, and the script file path is obtained based on the script file, for example, the script file path is obtained by obtaining the corresponding parameter (parameter corresponding to the script file path) in the script file, The script file path is then written to the character device file.
  • the character device file is, for example, a dev file.
  • step S340 the character device file is read, so as to obtain the script file to be verified based on the script file path in the character device file.
  • step S350 the script verification method is invoked to perform signature verification on the script file to be verified, that is, to verify the signature data of the script file.
  • the script verification method can be implemented as a shell-sign program, for example. If the signature verification of the script file is successful, the execution of the current script file is continued. If the signature verification of the script file fails, the execution of the current script file is terminated, and a message of signature verification failure is generated and displayed on the interface, so as to prompt the user that the current script file cannot be run due to the verification failure.
  • the present invention performs signature verification on the script file when executing the script file, and can run the script only after the verification is passed, thereby ensuring the security of running the script file under the Linux system.
  • FIG. 4 shows a sequence diagram of a script verification method 300 according to an embodiment of the present invention.
  • the script file may be implemented as a shell script, and the foregoing steps S310 to S330 are suitable for being executed by the LSM module of the Linux system kernel.
  • the foregoing steps S340 to S350 are suitable for being executed by the background process deepin-elf-verify.
  • the background process deepin-elf-verify cyclically reads the character device file, and calls the shell-sign script verification method to verify the signature of the script file to be verified. Subsequently, the background process deepin-elf-verify obtains the signature verification result returned by the shell-sign method, wherein, when the verification result is determined to be a verification failure, the background process deepin-elf-verify generates a script file signature verification failure message, and sends the message to the Sent to the UI interface for display.
  • the background process deepin-elf-verify also writes the verification results to the character device file (dev).
  • the LSM module of the kernel reads the verification result from the character device file, and determines whether to release the script file and continue to execute the script file according to the read verification result.
  • the verification result read by the LSM module of the kernel is that the verification is successful, the script file is released, so as to continue to execute the script file.
  • the signature data of the script file is stored in the script file as comment information, when performing signature verification on the script file, it is necessary to split the script file in advance and obtain the Signature data and script content in script files.
  • the signature data is obtained based on the annotation information by obtaining the annotation information from the end of the script file.
  • remove the comment character "#" at the beginning of the line of the comment information start from '-----END PKCS7-----', and stop reading '-----BEGIN PKCS7-----' , and combine all the lines read to obtain signature data (string) in Pem format. Then, get the script content in the script file. It should be noted that blank and comment lines are ignored when fetching script content.
  • a first digest of the script content is calculated based on a digest algorithm.
  • the digest algorithm is, for example, a message digest algorithm.
  • the signature data obtained from the script file is decrypted based on the signature certificate to generate a second digest.
  • format conversion is performed on the signature data first, and the signature data is converted into signature information of a predetermined structure, for example, the predetermined structure is a structure conforming to the pkcs#7 standard, but is not limited thereto.
  • the signing certificate is verified in order to verify the identity of the publisher of the script file. After the identity verification of the publisher based on the signature certificate is passed, the signature information is decrypted based on the public key of the signature certificate (matching the private key in the method 200 ) to generate a second digest.
  • script files in multiple languages under the Linux system can be signed, and the signature data is added to the end of the script file in the form of comments, so that the signature data is saved as comment information in the Inside the signed script file, it is not easy to lose.
  • the computing device determines whether the script needs to be verified by executing the script verification method 300, and verifies the signature data in the signed script file that needs to be verified, and can continue to run the script only after the verification is passed. , in this way, the security of various scripts under the Linux system can be fully guaranteed.
  • the various techniques described herein can be implemented in conjunction with hardware or software, or a combination thereof.
  • the method and apparatus of the present invention may take the form of an embedded tangible medium, such as a removable hard disk, a USB stick, a floppy disk, a CD-ROM, or any other machine-readable storage medium.
  • program code ie, instructions
  • the machine becomes an apparatus for practicing the invention.
  • the computing device typically includes a processor, a storage medium readable by the processor (including volatile and nonvolatile memory and/or storage elements), at least one input device, and at least one output device.
  • the memory is configured to store program codes; the processor is configured to execute the multilingual garbage text identification method of the present invention according to the instructions in the program codes stored in the memory.
  • readable media include readable storage media and communication media.
  • Readable storage media store information such as computer readable instructions, data structures, program modules or other data.
  • Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.
  • modules or units or components of the apparatus in the examples disclosed herein may be arranged in the apparatus as described in this embodiment, or alternatively may be positioned differently from the apparatus in this example in one or more devices.
  • the modules in the preceding examples may be combined into one module or further divided into sub-modules.
  • modules in the device in an embodiment can be adaptively changed and placed in one or more devices different from the embodiment.
  • the modules or units or components in the embodiments may be combined into one module or unit or component, and further they may be divided into multiple sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method so disclosed may be employed in any combination, unless at least some of such features and/or procedures or elements are mutually exclusive. All processes or units of equipment are combined.
  • Each feature disclosed in this specification may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Stored Programmes (AREA)

Abstract

A script verification method, a script signing method, and a computing device, executed in an operating system. The script verification method comprises the steps of: executing a script file (S310); determining whether the script file is a script file to be verified (S320); if yes, obtaining a script file path on the basis of the script file, and writing the script file path into a character device file (S330); reading the character device file to obtain the script file to be verified on the basis of the script file path in the character device file (S340); and performing signature verification on the script file to be verified, and if the verification succeeds, continuing to execute the script file (S350). The script verification method can fully ensure the security during script running.

Description

脚本验证方法、脚本签名方法及计算设备Script verification method, script signature method and computing device 技术领域technical field
本发明涉及脚本签名技术领域,特别涉及一种脚本验证方法、脚本签名方法及计算设备。The present invention relates to the technical field of script signature, in particular to a script verification method, a script signature method and a computing device.
背景技术Background technique
脚本开发方便、无需编译、可直接运行,广泛应用于Linux操作系统。Linux操作系统中常用的脚本包括shell、python、perl、lua、rubby等。脚本作为一种纯文本格式的可执行程序,目前在执行脚本时仅检查执行用户、可执行权限和root账号,缺乏有效的安全机制,而且,用户很难确定脚本的发布者、脚本是否被篡改过。对于银行、企业等对安全要求较高的系统环境,在运行脚本时,如何保证脚本的安全可信至关重要。The script is easy to develop, does not need to be compiled, can be run directly, and is widely used in the Linux operating system. Commonly used scripts in Linux operating systems include shell, python, perl, lua, rubby, etc. As a plain text executable program, the script currently only checks the execution user, executable permission and root account when executing the script, which lacks an effective security mechanism. Moreover, it is difficult for users to determine the publisher of the script and whether the script has been tampered with. Pass. For system environments with high security requirements such as banks and enterprises, it is very important to ensure the security and credibility of scripts when running scripts.
现有技术中对脚本的签名方法有两种,一种是开发者对脚本签名后,将签名信息附加保存到被签名的文件内部,例如Powershell脚本数字签名方案。基于该签名方法对脚本进行签名后,用户在运行签名脚本时,Powershell提取、检查脚本中的签名信息,确认发布者证书是否受信任,根据不同的脚本执行策略,对未经安全签名的、不信任发布者的脚本作出响应处理。这种签名方法仅适用于Windows系统下的PowerShell脚本,不能适应Linux系统下的众多脚本语言,导致Linux系统无法使用这种签名方法。There are two methods for signing scripts in the prior art. One is that after the developer signs the script, the signature information is additionally stored in the signed file, such as the Powershell script digital signature scheme. After the script is signed based on this signature method, when the user runs the signed script, Powershell extracts and checks the signature information in the script to confirm whether the publisher's certificate is trusted. Trust the publisher's script to respond with processing. This signature method is only applicable to PowerShell scripts under Windows systems, and cannot be adapted to many scripting languages under Linux systems, so Linux systems cannot use this signature method.
还有一种签名方法,在开发者对脚本进行签名后,将签名信息额外保存为单独的签名文件,进而发布签名文件和脚本,这种独立的签名文件在传递过程中很容易丢失。而且,用户在运行签名后的脚本前,需要手动进行验签,即使不验签或验证不通过也可以执行脚本,不能保证脚本运行时的安全性。There is also a signature method. After the developer signs the script, the signature information is additionally saved as a separate signature file, and then the signature file and the script are released. This independent signature file is easily lost during the transfer process. Moreover, the user needs to manually verify the signature before running the signed script. Even if the signature is not verified or the verification fails, the script can be executed, and the security of the script running cannot be guaranteed.
为此,需要一种脚本签名方法及脚本验证方法来解决上述技术方案中存在的问题。Therefore, a script signature method and a script verification method are required to solve the problems existing in the above technical solutions.
发明内容SUMMARY OF THE INVENTION
为此,本发明提供一种脚本验证方法和脚本签名方法,以力图解决或者至少缓解上面存在的问题。To this end, the present invention provides a script verification method and a script signature method to try to solve or at least alleviate the above problems.
根据本发明的一个方面,提供了一种脚本验证方法,在操作系统中执行,包括步骤:执行脚本文件;判断脚本文件是否是待验证脚本文件;如果是待验证脚本文件,则基于脚本文件获取脚本文件路径,并将脚本文件路径写入字符设备文件;读取字符设备文件,以便基于字符设备文件中的脚本文件路径获取待验证脚本文件;以及对待验证脚本文件进行签名验证,如果验证成功,则继续执行所述脚本文件。According to one aspect of the present invention, a script verification method is provided, which is executed in an operating system and includes the steps of: executing a script file; judging whether the script file is a script file to be verified; if it is a script file to be verified, obtaining based on the script file script file path, and write the script file path into the character device file; read the character device file to obtain the script file to be verified based on the script file path in the character device file; and perform signature verification on the script file to be verified, if the verification is successful, Then continue to execute the script file.
可选地,在根据本发明的脚本验证方法中,判断脚本文件是否是待验证脚本文件的步骤包括:获取脚本文件中的脚本解释器参数,判断脚本解释器参数指定的是否是预定脚本解释器;如果是预定脚本解释器,则确定脚本文件是待验证脚本文件。Optionally, in the script verification method according to the present invention, the step of judging whether the script file is the script file to be verified includes: acquiring the script interpreter parameters in the script file, and determining whether the script interpreter parameter specifies whether the script interpreter is a predetermined script interpreter. ; If it is a predetermined script interpreter, determine that the script file is the script file to be verified.
可选地,在根据本发明的脚本验证方法中,还包括步骤:如果未获取到脚本解释器参数,则获取脚本文件参数,判断脚本文件参数指定的文件是否是elf文件或java文件;如果不是elf文件或java文件,则确定脚本文件是待验证脚本文件。Optionally, in the script verification method according to the present invention, it also includes the steps of: if the script interpreter parameter is not obtained, then obtain the script file parameter, and judge whether the file specified by the script file parameter is an elf file or a java file; if not elf file or java file, it is determined that the script file is the script file to be verified.
可选地,在根据本发明的脚本验证方法中,还包括步骤:如果签名验证失败,则终止执行所述脚本文件,并生成签名验证失败的消息显示在界面。Optionally, the script verification method according to the present invention further includes the step of: if the signature verification fails, terminating the execution of the script file, and generating a signature verification failure message to display on the interface.
可选地,在根据本发明的脚本验证方法中,在对待验证脚本文件进行签名验证之后,还包括步骤:将验证结果写入字符设备文件。Optionally, in the script verification method according to the present invention, after the signature verification is performed on the script file to be verified, the method further includes the step of: writing the verification result into the character device file.
可选地,在根据本发明的脚本验证方法中,对脚本文件进行签名验证包括:调用脚本验证方法对脚本文件进行签名验证。Optionally, in the script verification method according to the present invention, performing signature verification on the script file includes: calling the script verification method to perform signature verification on the script file.
可选地,在根据本发明的脚本验证方法中,对脚本文件进行签名验证的步骤包括:从脚本文件尾部获取注释信息,基于所述注释信息获取签名数据;获取脚本文件中的脚本内容;基于摘要算法计算所述脚本内容的第一摘要;基于签名证书对所述签名数据进行解密,生成第二摘要;对比第一摘要和第二摘要是否相同,如果相同,则验证成功。Optionally, in the script verification method according to the present invention, the step of performing signature verification on the script file includes: acquiring annotation information from the end of the script file, and acquiring signature data based on the annotation information; acquiring script content in the script file; The digest algorithm calculates the first digest of the script content; decrypts the signature data based on the signature certificate to generate the second digest; compares whether the first digest and the second digest are the same, if they are the same, the verification is successful.
可选地,在根据本发明的脚本验证方法中,基于签名证书对所述签名数 据进行解密的步骤包括:将所述签名数据转换为预定结构的签名信息;对签名证书进行验证,以便验证脚本文件的发布者身份;基于签名证书对所述签名信息进行解密,生成第二摘要。Optionally, in the script verification method according to the present invention, the step of decrypting the signature data based on the signature certificate includes: converting the signature data into signature information of a predetermined structure; verifying the signature certificate in order to verify the script The identity of the issuer of the file; the signature information is decrypted based on the signature certificate, and a second digest is generated.
根据本发明的一个方面,提供了一种脚本签名方法,在计算设备中执行,包括步骤:获取脚本文件中的脚本内容;基于摘要算法计算所述脚本内容的摘要;基于私钥对所述摘要进行签名,生成签名信息,并将所述签名信息转换为签名数据;以及基于注释方法将所述签名数据添加到脚本文件尾部,以作为所述脚本文件的注释信息。According to an aspect of the present invention, a script signature method is provided, executed in a computing device, comprising the steps of: acquiring script content in a script file; calculating a digest of the script content based on a digest algorithm; performing signature, generating signature information, and converting the signature information into signature data; and adding the signature data to the end of the script file based on an annotation method to serve as the annotation information of the script file.
根据本发明的一个方面,提供了一种计算设备,包括:至少一个处理器;以及存储器,存储有程序指令,其中,所述程序指令被配置为适于由所述至少一个处理器执行,所述程序指令包括用于执行如上所述的方法的指令。According to one aspect of the present invention, there is provided a computing device comprising: at least one processor; and a memory storing program instructions, wherein the program instructions are configured to be adapted to be executed by the at least one processor, the The program instructions include instructions for performing the method as described above.
根据本发明的一个方面,提供了一种存储有程序指令的可读存储介质,当所述程序指令被计算设备读取并执行时,使得所述计算设备执行如上所述方法。According to an aspect of the present invention, there is provided a readable storage medium storing program instructions, which when read and executed by a computing device, cause the computing device to perform the method as described above.
根据本发明的技术方案,提供了一种脚本签名方法和脚本验证方法,基于脚本签名方法可以对Linux系统下的多种语言的脚本文件进行开发者签名,将签名数据以注释的方式添加到脚本文件的尾部,使得签名数据作为注释信息保存在被签名的脚本文件内部,不易丢失。并且,在执行脚本文件时,计算设备通过执行脚本验证方法来判断脚本是否需要进行验证,并对需要验证的签名后的脚本文件中的签名数据进行验证,只有在验证通过之后才能继续运行脚本,这样,能够充分保证脚本运行时的安全性。According to the technical solution of the present invention, a script signature method and a script verification method are provided. Based on the script signature method, developers can sign script files in multiple languages under the Linux system, and add the signature data to the script in the form of comments. At the end of the file, the signature data is stored in the signed script file as comment information, and it is not easy to lose. In addition, when executing the script file, the computing device determines whether the script needs to be verified by executing the script verification method, and verifies the signature data in the signed script file that needs to be verified, and can continue to run the script only after the verification is passed. In this way, the security of the script runtime can be fully guaranteed.
附图说明Description of drawings
为了实现上述以及相关目的,本文结合下面的描述和附图来描述某些说明性方面,这些方面指示了可以实践本文所公开的原理的各种方式,并且所有方面及其等效方面旨在落入所要求保护的主题的范围内。通过结合附图阅读下面的详细描述,本公开的上述以及其它目的、特征和优势将变得更加明显。遍及本公开,相同的附图标记通常指代相同的部件或元素。To achieve the above and related objects, certain illustrative aspects are described herein in conjunction with the following description and drawings, which are indicative of the various ways in which the principles disclosed herein may be practiced, and all aspects and their equivalents are intended to be within the scope of the claimed subject matter. The above and other objects, features and advantages of the present disclosure will become more apparent by reading the following detailed description in conjunction with the accompanying drawings. Throughout this disclosure, the same reference numbers generally refer to the same parts or elements.
图1示出了根据本发明一个实施例的计算设备100的示意图;FIG. 1 shows a schematic diagram of a computing device 100 according to an embodiment of the present invention;
图2示出了根据本发明一个实施例的脚本签名方法200的流程图;FIG. 2 shows a flowchart of a script signature method 200 according to an embodiment of the present invention;
图3示出了根据本发明一个实施例的脚本验证方法300的流程图;以及FIG. 3 shows a flowchart of a script verification method 300 according to an embodiment of the present invention; and
图4示出了根据本发明一个实施例的脚本验证方法300的时序图。FIG. 4 shows a sequence diagram of a script verification method 300 according to an embodiment of the present invention.
具体实施方式Detailed ways
下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided so that the present disclosure will be more thoroughly understood, and will fully convey the scope of the present disclosure to those skilled in the art.
本发明中的脚本签名方法200及脚本验证方法300适于在计算设备中执行。计算设备通过执行脚本签名方法200对脚本文件进行开发者签名,并将签名数据以注释的方式添加到脚本文件中。在执行脚本文件时,计算设备通过执行脚本验证方法300对脚本文件中的签名数据进行验证。The script signature method 200 and the script verification method 300 in the present invention are suitable for execution in a computing device. The computing device performs developer signature on the script file by executing the script signing method 200, and adds the signature data to the script file in the form of comments. When executing the script file, the computing device verifies the signature data in the script file by executing the script verification method 300 .
图1示出了根据本发明一个实施例的计算设备100的示意图。FIG. 1 shows a schematic diagram of a computing device 100 according to one embodiment of the present invention.
如图1所示,在基本的配置102中,计算设备100典型地包括系统存储器106和一个或者多个处理器104。存储器总线108可以用于在处理器104和系统存储器106之间的通信。As shown in FIG. 1 , in a basic configuration 102 , computing device 100 typically includes system memory 106 and one or more processors 104 . The memory bus 108 may be used for communication between the processor 104 and the system memory 106 .
取决于期望的配置,处理器104可以是任何类型的处理,包括但不限于:微处理器(UP)、微控制器(UC)、数字信息处理器(DSP)或者它们的任何组合。处理器104可以包括诸如一级高速缓存110和二级高速缓存112之类的一个或者多个级别的高速缓存、处理器核心114和寄存器116。示例的处理器核心114可以包括运算逻辑单元(ALU)、浮点数单元(FPU)、数字信号处理核心(DSP核心)或者它们的任何组合。示例的存储器控制器118可以与处理器104一起使用,或者在一些实现中,存储器控制器118可以是处理器104的一个内部部分。Depending on the desired configuration, the processor 104 may be any type of process including, but not limited to, a microprocessor (UP), a microcontroller (UC), a digital information processor (DSP), or any combination thereof. Processor 104 may include one or more levels of cache, such as L1 cache 110 and L2 cache 112 , processor core 114 , and registers 116 . Exemplary processor cores 114 may include arithmetic logic units (ALUs), floating point units (FPUs), digital signal processing cores (DSP cores), or any combination thereof. The exemplary memory controller 118 may be used with the processor 104 , or in some implementations, the memory controller 118 may be an internal part of the processor 104 .
取决于期望的配置,系统存储器106可以是任意类型的存储器,包括但不限于:易失性存储器(诸如RAM)、非易失性存储器(诸如ROM、闪存等)或者它们的任何组合。系统存储器106可以包括操作系统120、一个或者多个应用122以及程序数据124。在一些实施方式中,应用122可以布置为在操作系统上由一个或多个处理器104利用程序数据124执行指令。Depending on the desired configuration, system memory 106 may be any type of memory including, but not limited to, volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof. System memory 106 may include operating system 120 , one or more applications 122 , and program data 124 . In some embodiments, applications 122 may be arranged to execute instructions using program data 124 by one or more processors 104 on an operating system.
计算设备100还包括储存设备132,储存设备132包括可移除储存器136和不可移除储存器138。Computing device 100 also includes storage device 132 including removable storage 136 and non-removable storage 138 .
计算设备100还可以包括储存接口总线134。储存接口总线134实现了从储存设备132(例如,可移除储存器136和不可移除储存器138)经由总线/接口控制器130到基本配置102的通信。操作系统120、应用122以及数据124的至少一部分可以存储在可移除储存器136和/或不可移除储存器138上,并且在计算设备100上电或者要执行应用122时,经由储存接口总线134而加载到系统存储器106中,并由一个或者多个处理器104来执行。Computing device 100 may also include a storage interface bus 134 . Storage interface bus 134 enables communication from storage devices 132 (eg, removable storage 136 and non-removable storage 138 ) to base configuration 102 via bus/interface controller 130 . Operating system 120, applications 122, and at least a portion of data 124 may be stored on removable storage 136 and/or non-removable storage 138, and via the storage interface bus when computing device 100 is powered on or applications 122 are to be executed 134 is loaded into system memory 106 and executed by one or more processors 104 .
计算设备100还可以包括有助于从各种接口设备(例如,输出设备142、外设接口144和通信设备146)到基本配置102经由总线/接口控制器130的通信的接口总线140。示例的输出设备142包括图形处理单元148和音频处理单元150。它们可以被配置为有助于经由一个或者多个A/V端口152与诸如显示器或者扬声器之类的各种外部设备进行通信。示例外设接口144可以包括串行接口控制器154和并行接口控制器156,它们可以被配置为有助于经由一个或者多个I/O端口158和诸如输入设备(例如,键盘、鼠标、笔、语音输入设备、触摸输入设备)或者其他外设(例如打印机、扫描仪等)之类的外部设备进行通信。示例的通信设备146可以包括网络控制器160,其可以被布置为便于经由一个或者多个通信端口164与一个或者多个其他计算设备162通过网络通信链路的通信。Computing device 100 may also include an interface bus 140 that facilitates communication from various interface devices (eg, output device 142 , peripheral interface 144 , and communication device 146 ) to base configuration 102 via bus/interface controller 130 . Example output devices 142 include graphics processing unit 148 and audio processing unit 150 . They may be configured to facilitate communication via one or more A/V ports 152 with various external devices such as displays or speakers. Example peripheral interfaces 144 may include serial interface controller 154 and parallel interface controller 156, which may be configured to facilitate communication via one or more I/O ports 158 and input devices such as keyboard, mouse, pen , voice input devices, touch input devices) or other peripherals (eg printers, scanners, etc.) The example communication device 146 may include a network controller 160 that may be arranged to facilitate communication via one or more communication ports 164 with one or more other computing devices 162 over a network communication link.
网络通信链路可以是通信介质的一个示例。通信介质通常可以体现为在诸如载波或者其他传输机制之类的调制数据信号中的计算机可读指令、数据结构、程序模块,并且可以包括任何信息递送介质。“调制数据信号”可以是这样的信号,它的数据集中的一个或者多个或者它的改变可以在信号中以编码信息的方式进行。作为非限制性的示例,通信介质可以包括诸如有线网络或者专线网络之类的有线介质,以及诸如声音、射频(RF)、微波、红外(IR)或者其它无线介质在内的各种无线介质。这里使用的术语计算机可读介质可以包括存储介质和通信介质二者。A network communication link may be one example of a communication medium. Communication media may typically embody computer readable instructions, data structures, program modules in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media. A "modulated data signal" may be a signal in which one or more of its data sets or whose changes may be made in the signal in a manner that encodes information. By way of non-limiting example, communication media may include wired media, such as wired or leased line networks, and various wireless media, such as acoustic, radio frequency (RF), microwave, infrared (IR), or other wireless media. The term computer readable medium as used herein may include both storage media and communication media.
计算设备100可以实现为包括桌面计算机和笔记本计算机配置的个人计算机。当然,计算设备100也可以实现为小尺寸便携(或者移动)电子设备的一部分,这些电子设备可以是诸如蜂窝电话、数码照相机、个人数字助理 (PDA)、个人媒体播放器设备、无线网络浏览设备、个人头戴设备、应用专用设备、或者可以包括上面任何功能的混合设备。甚至可以被实现为服务器,如文件服务器、数据库服务器、应用程序服务器和WEB服务器等。本发明的实施例对此均不做限制。Computing device 100 may be implemented as a personal computer including a desktop computer and a notebook computer configuration. Of course, computing device 100 may also be implemented as part of a small form factor portable (or mobile) electronic device such as a cellular telephone, digital camera, personal digital assistant (PDA), personal media player device, wireless web browsing device , personal headsets, application-specific devices, or hybrid devices that can include any of the above. It can even be implemented as a server, such as a file server, database server, application server, and WEB server. The embodiments of the present invention do not limit this.
在根据本发明的实施例中,计算设备100被配置为执行根据本发明的脚本签名方法200。其中,计算设备100的应用122中包含用于执行本发明的脚本签名方法200的多条程序指令,这些程序指令可以被计算设备100读取并执行,以便计算设备100执行根据本发明的脚本签名方法200来对脚本文件进行开发者签名。In an embodiment according to the present invention, the computing device 100 is configured to perform the script signing method 200 according to the present invention. The application 122 of the computing device 100 includes a plurality of program instructions for executing the script signature method 200 of the present invention, and these program instructions can be read and executed by the computing device 100, so that the computing device 100 can execute the script signature according to the present invention. The method 200 is to developer-sign the script file.
在根据本发明的实施例中,计算设备100被配置为执行根据本发明的脚本验证方法300。其中,计算设备100的操作系统120中包含用于执行本发明的脚本验证方法300的多条程序指令,这些程序指令可以被计算设备100读取并执行,以便操作系统执行根据本发明的脚本验证方法300来对签名后的脚本文件进行验证。In an embodiment according to the present invention, the computing device 100 is configured to execute the script verification method 300 according to the present invention. Wherein, the operating system 120 of the computing device 100 contains a plurality of program instructions for executing the script verification method 300 of the present invention, and these program instructions can be read and executed by the computing device 100, so that the operating system executes the script verification method according to the present invention The method 300 is to verify the signed script file.
需要说明的是,根据本发明的技术方案,当开发者对脚本文件签名时,计算设备100通过执行脚本签名方法200对脚本文件进行签名,并将签名数据以注释的方式添加到脚本文件的尾部,使得签名数据作为注释信息保存在被签名的脚本文件中。当用户执行签名后的脚本文件时,计算设备100的操作系统通过执行脚本验证方法300来对脚本文件中的签名数据进行验证。It should be noted that, according to the technical solution of the present invention, when the developer signs the script file, the computing device 100 signs the script file by executing the script signature method 200, and adds the signature data to the end of the script file in the form of comments , so that the signature data is saved in the signed script file as comment information. When the user executes the signed script file, the operating system of the computing device 100 verifies the signature data in the script file by executing the script verification method 300 .
图2示出了根据本发明一个实施例的脚本签名方法200的流程图。方法200适于在计算设备(例如前述计算设备100)中执行。FIG. 2 shows a flowchart of a script signing method 200 according to an embodiment of the present invention. The method 200 is suitable for execution in a computing device, such as the aforementioned computing device 100 .
应当指出,脚本签名方法200适于对Linux系统下的多种语言的脚本文件进行开发者签名,这里,本发明不限于具体的脚本语言。It should be noted that the script signature method 200 is suitable for developer signatures for script files in multiple languages under the Linux system. Here, the present invention is not limited to a specific script language.
如图2所示,方法200始于步骤S210。在步骤S210中,获取脚本文件中的脚本内容。As shown in FIG. 2, the method 200 starts at step S210. In step S210, the script content in the script file is obtained.
在步骤S220中,基于摘要算法计算脚本内容的摘要。也就是说,基于摘要算法对脚本内容计算摘要,该摘要也即是脚本文件的摘要。这里,摘要算法例如是消息摘要算法。In step S220, a digest of the script content is calculated based on a digest algorithm. That is to say, the digest is calculated for the script content based on the digest algorithm, and the digest is also the digest of the script file. Here, the digest algorithm is, for example, a message digest algorithm.
需要说明的是,在获取脚本文件中的脚本内容时,忽略空行和注释行。 这样,在步骤S220中计算脚本文件的摘要时,是基于去除空行和注释行后的脚本内容来计算摘要。It should be noted that when obtaining the script content in the script file, blank lines and comment lines are ignored. In this way, when calculating the summary of the script file in step S220, the summary is calculated based on the content of the script after removing blank lines and comment lines.
在步骤S230中,基于私钥和签名算法对摘要进行签名计算,生成签名信息,并对签名信息进行格式转换后生成签名数据。这里,对摘要计算签名后得到的签名信息是符合pkcs#7标准的结构体,通过对符合pkcs#7标准的签名信息进行格式转换后得到的是pem格式的签名数据。应当指出,本发明不限于签名信息的具体格式。In step S230, signature calculation is performed on the digest based on the private key and the signature algorithm, signature information is generated, and signature data is generated after format conversion of the signature information. Here, the signature information obtained by calculating the signature on the digest is a structure conforming to the pkcs#7 standard, and the signature data in pem format is obtained after format conversion of the signature information conforming to the pkcs#7 standard. It should be noted that the present invention is not limited to the specific format of the signature information.
在步骤S240中,基于注释方法将pem格式的签名数据添加到脚本文件尾部,作为脚本文件的注释信息。这样,根据本发明的方法200对脚本文件内容签名后生成的签名数据,是作为注释信息保存在被签名的脚本文件内部,避免了单独保存签名文件方案的容易丢失问题。In step S240, the signature data in pem format is added to the end of the script file based on the annotation method, as the annotation information of the script file. In this way, the signature data generated after signing the content of the script file according to the method 200 of the present invention is stored in the signed script file as comment information, which avoids the problem of easy loss of the scheme of separately saving the signature file.
应当指出,在本发明的脚本签名方法200以及相应的脚本验证方法300中,均适用于Linux系统下的多种语言的脚本文件,这里,本发明对脚本文件的脚本语言不做具体限定。例如,脚本文件可以实现为Shell脚本、Python脚本、Perl脚本、Lua脚本、Rubby脚本等,但不限于此。在本发明的实施例中,仅以Shell脚本为例对本发明的脚本签名方法200和脚本验证方法300进行详细说明。It should be pointed out that the script signature method 200 and the corresponding script verification method 300 of the present invention are both applicable to script files in multiple languages under the Linux system. Here, the present invention does not specifically limit the script language of the script file. For example, the script file may be implemented as a Shell script, a Python script, a Perl script, a Lua script, a Rubby script, etc., but is not limited thereto. In the embodiment of the present invention, the script signature method 200 and the script verification method 300 of the present invention are described in detail by taking a shell script as an example.
图3示出了根据本发明一个实施例的脚本验证方法300的流程图。方法300适于在计算设备(例如前述计算设备100)的操作系统中执行。FIG. 3 shows a flowchart of a script verification method 300 according to an embodiment of the present invention. The method 300 is suitable for execution in an operating system of a computing device, such as the aforementioned computing device 100 .
如图3所示,方法300始于步骤S310。在步骤S310中,执行脚本文件。这里,可以在Linux系统中执行一种或多种脚本文件,例如执行Shell脚本、Python脚本、Perl脚本、Lua脚本、Rubby脚本,且不限于这些脚本文件。As shown in FIG. 3, the method 300 begins at step S310. In step S310, the script file is executed. Here, one or more kinds of script files can be executed in the Linux system, such as executing Shell script, Python script, Perl script, Lua script, Rubby script, and not limited to these script files.
随后,在步骤S320中,判断脚本文件是否是待验证脚本文件。也就是说,在执行脚本文件时,判断脚本文件是否是待验证脚本文件。Subsequently, in step S320, it is determined whether the script file is a script file to be verified. That is, when executing the script file, it is determined whether the script file is the script file to be verified.
需要说明的是,这里的待验证脚本文件例如是基于前述脚本签名方法200进行签名后的脚本文件,在用户请求执行签名后的脚本文件时,计算设备100会根据本发明的脚本验证方法300对签名后的脚本文件的签名数据进行验证。应当理解,基于脚本签名方法200进行签名后的待验证脚本文件可以是Shell脚本、Python脚本、Perl脚本、Lua脚本、Rubby脚本中的一种或多种。It should be noted that the script file to be verified here is, for example, a script file that is signed based on the aforementioned script signature method 200. When a user requests to execute the signed script file, the computing device 100 will verify the script file according to the script verification method 300 of the present invention. The signature data of the signed script file is verified. It should be understood that the script file to be verified after being signed based on the script signature method 200 may be one or more of a Shell script, a Python script, a Perl script, a Lua script, and a Rubby script.
根据一个实施例,可以按照以下步骤来判断脚本文件是否是待验证脚本文件:According to one embodiment, whether the script file is a script file to be verified can be determined according to the following steps:
获取脚本文件中的脚本解释器参数,判断脚本解释器参数指定的是否是预定脚本解释器。这里,预定脚本解释器包括与基于脚本签名方法200进行签名的一种或多种脚本文件相匹配的、适于解析并执行相应脚本文件的一种或多种脚本解释器,例如shell脚本解释器bash。应当指出,预定脚本解释器可以包括一种或多种脚本解释器,本发明不限于预定脚本解释器的具体种类。在一种实施方式中,脚本解释器参数是作为脚本文件首行的第一个参数。Obtain the script interpreter parameters in the script file, and determine whether the script interpreter parameter specifies a predetermined script interpreter. Here, the predetermined script interpreter includes one or more script interpreters suitable for parsing and executing the corresponding script file, such as a shell script interpreter, which matches with one or more script files signed based on the script signature method 200 . bash. It should be noted that the predetermined script interpreter may include one or more types of script interpreters, and the present invention is not limited to the specific kind of the predetermined script interpreter. In one embodiment, the script interpreter parameter is the first parameter that is the first line of the script file.
如果是预定脚本解释器,则确定脚本文件是待验证脚本文件,也即是基于脚本签名方法200进行签名后的脚本文件。如果指定的不是预定脚本解释器,则确定脚本文件不是待验证脚本文件。If it is a predetermined script interpreter, it is determined that the script file is the script file to be verified, that is, the script file signed based on the script signature method 200 . If the specified script interpreter is not the predetermined script interpreter, it is determined that the script file is not the script file to be verified.
另外,如果未获取到脚本解释器参数,则进一步获取脚本文件参数,判断脚本文件参数指定的文件(脚本文件本身)是否是elf文件或java文件。如果脚本文件参数指定的文件不是elf文件或java文件,则也确定脚本文件是待验证脚本文件。反之,如果脚本文件参数指定的文件是elf文件或java文件,则确定脚本文件不是待验证脚本文件,不再基于方法300对该脚本文件进行验证。In addition, if the script interpreter parameter is not obtained, the script file parameter is further obtained, and it is judged whether the file specified by the script file parameter (the script file itself) is an elf file or a java file. If the file specified by the script file parameter is not an elf file or a java file, it is also determined that the script file is the script file to be verified. On the contrary, if the file specified by the script file parameter is an elf file or a java file, it is determined that the script file is not the script file to be verified, and the script file is no longer verified based on the method 300 .
在一种实施方式中,在基于上述步骤判断脚本文件是否是待验证脚本文件之前,预先基于内核模块的search_binary_handler函数获取脚本文件中包括的一个或多个参数。这样,可以从获取到的所有参数中,获取与脚本解释器相对应的参数、与脚本文件本身相对应的参数、与脚本文件路径相对应的参数等。In one embodiment, before determining whether the script file is the script file to be verified based on the above steps, one or more parameters included in the script file are obtained in advance based on the search_binary_handler function of the kernel module. In this way, from all the obtained parameters, parameters corresponding to the script interpreter, parameters corresponding to the script file itself, parameters corresponding to the script file path, and the like can be obtained.
在前述步骤S320中,如果确定脚本文件是待验证脚本文件,则执行步骤S330。In the foregoing step S320, if it is determined that the script file is the script file to be verified, step S330 is executed.
在步骤S330中,对当前待验证的脚本文件执行阻塞,同时基于该脚本文件获取脚本文件路径,例如通过获取脚本文件中的相应参数(与脚本文件路径相对应的参数)来获取脚本文件路径,随后将脚本文件路径写入字符设备文件。这里,字符设备文件例如是dev文件。In step S330, the current script file to be verified is blocked, and the script file path is obtained based on the script file, for example, the script file path is obtained by obtaining the corresponding parameter (parameter corresponding to the script file path) in the script file, The script file path is then written to the character device file. Here, the character device file is, for example, a dev file.
随后,在步骤S340中,读取字符设备文件,以便基于字符设备文件中的 脚本文件路径获取待验证脚本文件。Subsequently, in step S340, the character device file is read, so as to obtain the script file to be verified based on the script file path in the character device file.
最后,在步骤S350中,调用脚本验证方法对待验证脚本文件进行签名验证,即是对脚本文件的签名数据进行验证。这里,脚本验证方法例如可以实现为shell-sign程序。如果对脚本文件签名验证成功,则继续执行当前的脚本文件。如果对脚本文件签名验证失败,则终止执行当前的脚本文件,并生成签名验证失败的消息显示在界面,以便提示用户当前脚本文件因验证失败而不能运行。Finally, in step S350, the script verification method is invoked to perform signature verification on the script file to be verified, that is, to verify the signature data of the script file. Here, the script verification method can be implemented as a shell-sign program, for example. If the signature verification of the script file is successful, the execution of the current script file is continued. If the signature verification of the script file fails, the execution of the current script file is terminated, and a message of signature verification failure is generated and displayed on the interface, so as to prompt the user that the current script file cannot be run due to the verification failure.
这样,本发明在执行脚本文件时通过对脚本文件进行签名验证,在验证通过之后才能运行脚本,从而能保证在Linux系统下运行脚本文件时的安全性。In this way, the present invention performs signature verification on the script file when executing the script file, and can run the script only after the verification is passed, thereby ensuring the security of running the script file under the Linux system.
图4示出了根据本发明一个实施例的脚本验证方法300的时序图。FIG. 4 shows a sequence diagram of a script verification method 300 according to an embodiment of the present invention.
根据一种实施方式,如图4所示,脚本文件可以实现为shell脚本,前述步骤S310~S330适于由Linux系统内核的LSM模块执行。前述步骤S340~S350适于由后台进程deepin-elf-verify执行。According to an embodiment, as shown in FIG. 4 , the script file may be implemented as a shell script, and the foregoing steps S310 to S330 are suitable for being executed by the LSM module of the Linux system kernel. The foregoing steps S340 to S350 are suitable for being executed by the background process deepin-elf-verify.
如图4所示,后台进程deepin-elf-verify循环读取字符设备文件,并调用shell-sign脚本验证方法来对待验证脚本文件进行签名验证。随后,后台进程deepin-elf-verify获取shell-sign方法返回的签名验证结果,其中,在确定验证结果为验证失败时,后台进程deepin-elf-verify生成脚本文件签名验证失败的消息,并将消息发送至UI界面进行显示。As shown in Figure 4, the background process deepin-elf-verify cyclically reads the character device file, and calls the shell-sign script verification method to verify the signature of the script file to be verified. Subsequently, the background process deepin-elf-verify obtains the signature verification result returned by the shell-sign method, wherein, when the verification result is determined to be a verification failure, the background process deepin-elf-verify generates a script file signature verification failure message, and sends the message to the Sent to the UI interface for display.
另外,后台进程deepin-elf-verify还将验证结果写入字符设备文件(dev)。内核的LSM模块通过从字符设备文件读取验证结果,并根据读取到的验证结果来确定是否放行脚本文件、继续执行脚本文件。这里,在内核的LSM模块读取到的验证结果为验证成功时,放行该脚本文件,以便继续执行该脚本文件。In addition, the background process deepin-elf-verify also writes the verification results to the character device file (dev). The LSM module of the kernel reads the verification result from the character device file, and determines whether to release the script file and continue to execute the script file according to the read verification result. Here, when the verification result read by the LSM module of the kernel is that the verification is successful, the script file is released, so as to continue to execute the script file.
需要说明的是,在本发明的实施例中,由于脚本文件的签名数据是作为注释信息保存在脚本文件中的,因此,在对脚本文件进行签名验证时,需要预先拆分脚本文件,分别获取脚本文件中的签名数据和脚本内容。It should be noted that, in the embodiment of the present invention, since the signature data of the script file is stored in the script file as comment information, when performing signature verification on the script file, it is necessary to split the script file in advance and obtain the Signature data and script content in script files.
根据一个实施例,通过从脚本文件尾部获取注释信息,基于注释信息获取签名数据。这里,去除注释信息的行首的注释字符“#”,从‘-----END PKCS7-----’开始,读取到‘-----BEGIN PKCS7-----’停止,将读取到的所有行组合可以得到Pem格式的签名数据(字符串)。随后,获取脚本文件中的脚本内容。应当指出,在获取脚本内容时,忽略空行和注释行。According to one embodiment, the signature data is obtained based on the annotation information by obtaining the annotation information from the end of the script file. Here, remove the comment character "#" at the beginning of the line of the comment information, start from '-----END PKCS7-----', and stop reading '-----BEGIN PKCS7-----' , and combine all the lines read to obtain signature data (string) in Pem format. Then, get the script content in the script file. It should be noted that blank and comment lines are ignored when fetching script content.
进而,基于摘要算法计算脚本内容的第一摘要。摘要算法例如是消息摘要算法。Furthermore, a first digest of the script content is calculated based on a digest algorithm. The digest algorithm is, for example, a message digest algorithm.
并且,基于签名证书对从脚本文件中获取的签名数据进行解密,生成第二摘要。具体地,首先对签名数据进行格式转换,将签名数据转换为预定结构的签名信息,预定结构例如是符合pkcs#7标准的结构体,但不限于此。随后,对签名证书进行验证,以便验证脚本文件的发布者身份。在基于签名证书对发布者身份验证通过之后,基于签名证书的公钥(与方法200中的私钥相匹配)对签名信息进行解密,生成第二摘要。And, the signature data obtained from the script file is decrypted based on the signature certificate to generate a second digest. Specifically, format conversion is performed on the signature data first, and the signature data is converted into signature information of a predetermined structure, for example, the predetermined structure is a structure conforming to the pkcs#7 standard, but is not limited thereto. Subsequently, the signing certificate is verified in order to verify the identity of the publisher of the script file. After the identity verification of the publisher based on the signature certificate is passed, the signature information is decrypted based on the public key of the signature certificate (matching the private key in the method 200 ) to generate a second digest.
最后,对比第一摘要和第二摘要是否相同,如果相同,则对脚本文件签名验证成功,从而继续执行该脚本文件。如果不同,则签名验证失败,终止执行该脚本文件。Finally, it is compared whether the first digest and the second digest are the same, and if they are the same, the signature verification of the script file is successful, so that the script file continues to be executed. If different, signature verification fails and execution of the script file is terminated.
根据本发明的技术方案,基于脚本签名方法200可以对Linux系统下的多种语言的脚本文件进行签名,将签名数据以注释的方式添加到脚本文件的尾部,使得签名数据作为注释信息保存在被签名的脚本文件内部,不易丢失。并且,在执行脚本文件时,计算设备通过执行脚本验证方法300来判断脚本是否需要进行验证,并对需要验证的签名后的脚本文件中的签名数据进行验证,只有在验证通过之后才能继续运行脚本,这样,能够充分保证Linux系统下的多种脚本运行时的安全性。According to the technical solution of the present invention, based on the script signature method 200, script files in multiple languages under the Linux system can be signed, and the signature data is added to the end of the script file in the form of comments, so that the signature data is saved as comment information in the Inside the signed script file, it is not easy to lose. Moreover, when executing the script file, the computing device determines whether the script needs to be verified by executing the script verification method 300, and verifies the signature data in the signed script file that needs to be verified, and can continue to run the script only after the verification is passed. , in this way, the security of various scripts under the Linux system can be fully guaranteed.
这里描述的各种技术可结合硬件或软件,或者它们的组合一起实现。从而,本发明的方法和设备,或者本发明的方法和设备的某些方面或部分可采取嵌入有形媒介,例如可移动硬盘、U盘、软盘、CD-ROM或者其它任意机器可读的存储介质中的程序代码(即指令)的形式,其中当程序被载入诸如计算机之类的机器,并被所述机器执行时,所述机器变成实践本发明的设备。The various techniques described herein can be implemented in conjunction with hardware or software, or a combination thereof. Thus, the method and apparatus of the present invention, or certain aspects or portions of the method and apparatus of the present invention, may take the form of an embedded tangible medium, such as a removable hard disk, a USB stick, a floppy disk, a CD-ROM, or any other machine-readable storage medium. in the form of program code (ie, instructions) that, when the program is loaded into a machine, such as a computer, and executed by the machine, the machine becomes an apparatus for practicing the invention.
在程序代码在可编程计算机上执行的情况下,计算设备一般包括处理器、处理器可读的存储介质(包括易失性和非易失性存储器和/或存储元件),至少一个输入装置,和至少一个输出装置。其中,存储器被配置用于存储程序代 码;处理器被配置用于根据该存储器中存储的所述程序代码中的指令,执行本发明的多语言垃圾文本的识别方法。Where the program code is executed on a programmable computer, the computing device typically includes a processor, a storage medium readable by the processor (including volatile and nonvolatile memory and/or storage elements), at least one input device, and at least one output device. Wherein, the memory is configured to store program codes; the processor is configured to execute the multilingual garbage text identification method of the present invention according to the instructions in the program codes stored in the memory.
以示例而非限制的方式,可读介质包括可读存储介质和通信介质。可读存储介质存储诸如计算机可读指令、数据结构、程序模块或其它数据等信息。通信介质一般以诸如载波或其它传输机制等已调制数据信号来体现计算机可读指令、数据结构、程序模块或其它数据,并且包括任何信息传递介质。以上的任一种的组合也包括在可读介质的范围之内。By way of example and not limitation, readable media include readable storage media and communication media. Readable storage media store information such as computer readable instructions, data structures, program modules or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.
在此处所提供的说明书中,算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与本发明的示例一起使用。根据上面的描述,构造这类系统所要求的结构是显而易见的。此外,本发明也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本发明的内容,并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。In the specification provided herein, the algorithms and displays are not inherently related to any particular computer, virtual system, or other device. Various general purpose systems may also be used with examples of the present invention. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not directed to any particular programming language. It is to be understood that various programming languages may be used to implement the inventions described herein, and that the descriptions of specific languages above are intended to disclose the best mode for carrying out the invention.
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下被实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. It will be understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。Similarly, it is to be understood that in the above description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together into a single embodiment, figure, or its description. This disclosure, however, should not be interpreted as reflecting an intention that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.
本领域那些技术人员应当理解在本文所公开的示例中的设备的模块或单元或组件可以布置在如该实施例中所描述的设备中,或者可替换地可以定位在与该示例中的设备不同的一个或多个设备中。前述示例中的模块可以组合为一个模块或者此外可以分成多个子模块。Those skilled in the art will appreciate that the modules or units or components of the apparatus in the examples disclosed herein may be arranged in the apparatus as described in this embodiment, or alternatively may be positioned differently from the apparatus in this example in one or more devices. The modules in the preceding examples may be combined into one module or further divided into sub-modules.
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自 适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art will appreciate that the modules in the device in an embodiment can be adaptively changed and placed in one or more devices different from the embodiment. The modules or units or components in the embodiments may be combined into one module or unit or component, and further they may be divided into multiple sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method so disclosed may be employed in any combination, unless at least some of such features and/or procedures or elements are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。Furthermore, those skilled in the art will appreciate that although some of the embodiments described herein include certain features, but not others, included in other embodiments, that combinations of features of different embodiments are intended to be within the scope of the invention within and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
此外,所述实施例中的一些在此被描述成可以由计算机系统的处理器或者由执行所述功能的其它装置实施的方法或方法元素的组合。因此,具有用于实施所述方法或方法元素的必要指令的处理器形成用于实施该方法或方法元素的装置。此外,装置实施例的在此所述的元素是如下装置的例子:该装置用于实施由为了实施该发明的目的的元素所执行的功能。Furthermore, some of the described embodiments are described herein as methods or combinations of method elements that can be implemented by a processor of a computer system or by other means for performing the described functions. Thus, a processor having the necessary instructions for implementing the method or method element forms means for implementing the method or method element. Furthermore, an element of an apparatus embodiment described herein is an example of a means for carrying out the function performed by the element for the purpose of carrying out the invention.
如在此所使用的那样,除非另行规定,使用序数词“第一”、“第二”、“第三”等等来描述普通对象仅仅表示涉及类似对象的不同实例,并且并不意图暗示这样被描述的对象必须具有时间上、空间上、排序方面或者以任意其它方式的给定顺序。As used herein, unless otherwise specified, the use of the ordinal numbers "first," "second," "third," etc. to describe common objects merely refers to different instances of similar objects, and is not intended to imply such The objects being described must have a given order in time, space, ordinal, or in any other way.
尽管根据有限数量的实施例描述了本发明,但是受益于上面的描述,本技术领域内的技术人员明白,在由此描述的本发明的范围内,可以设想其它实施例。此外,应当注意,本说明书中使用的语言主要是为了可读性和教导的目的而选择的,而不是为了解释或者限定本发明的主题而选择的。因此,在不偏离所附权利要求书的范围和精神的情况下,对于本技术领域的普通技术人员来说许多修改和变更都是显而易见的。对于本发明的范围,对本发明所做的公开是说明性的,而非限制性的,本发明的范围由所附权利要求书限定。While the invention has been described in terms of a limited number of embodiments, those skilled in the art will appreciate, having the benefit of the above description, that other embodiments are conceivable within the scope of the invention thus described. Furthermore, it should be noted that the language used in this specification has been principally selected for readability and teaching purposes, rather than to explain or define the subject matter of the invention. Accordingly, many modifications and variations will be apparent to those skilled in the art without departing from the scope and spirit of the appended claims. This disclosure is intended to be illustrative, not restrictive, as to the scope of the present invention, which is defined by the appended claims.

Claims (10)

  1. 一种脚本验证方法,在操作系统中执行,包括步骤:A script verification method, executed in an operating system, including the steps:
    执行脚本文件;execute script file;
    判断脚本文件是否是待验证脚本文件;Determine whether the script file is a script file to be verified;
    如果是待验证脚本文件,则基于脚本文件获取脚本文件路径,并将脚本文件路径写入字符设备文件;If it is a script file to be verified, obtain the script file path based on the script file, and write the script file path into the character device file;
    读取字符设备文件,以便基于字符设备文件中的脚本文件路径获取待验证脚本文件;以及reading the character device file to obtain the script file to be verified based on the script file path in the character device file; and
    对待验证脚本文件进行签名验证,如果验证成功,则继续执行所述脚本文件。The signature verification is performed on the script file to be verified, and if the verification is successful, the script file is continuously executed.
  2. 如权利要求1所述的方法,其中,判断脚本文件是否是待验证脚本文件的步骤包括:The method of claim 1, wherein the step of judging whether the script file is the script file to be verified comprises:
    获取脚本文件中的脚本解释器参数,判断脚本解释器参数指定的是否是预定脚本解释器;Obtain the script interpreter parameters in the script file, and determine whether the script interpreter parameter specifies the predetermined script interpreter;
    如果是预定脚本解释器,则确定脚本文件是待验证脚本文件。If it is a predetermined script interpreter, it is determined that the script file is the script file to be verified.
  3. 如权利要求2所述的方法,其中,还包括步骤:The method of claim 2, further comprising the step of:
    如果未获取到脚本解释器参数,则获取脚本文件参数,判断脚本文件参数指定的文件是否是elf文件或java文件;If the script interpreter parameter is not obtained, obtain the script file parameter, and determine whether the file specified by the script file parameter is an elf file or a java file;
    如果不是elf文件或java文件,则确定脚本文件是待验证脚本文件。If it is not an elf file or a java file, it is determined that the script file is the script file to be verified.
  4. 如权利要求1所述的方法,其中,还包括步骤:如果签名验证失败,则终止执行所述脚本文件,并生成签名验证失败的消息显示在界面;The method of claim 1, further comprising the step of: if the signature verification fails, terminate the execution of the script file, and generate a signature verification failure message to display on the interface;
    在对待验证脚本文件进行签名验证之后,还包括步骤:将验证结果写入字符设备文件。After the signature verification is performed on the script file to be verified, the method further includes the step of: writing the verification result into the character device file.
  5. 如权利要求1-4任一项所述的方法,其中,对脚本文件进行签名验证包括:The method according to any one of claims 1-4, wherein, performing signature verification on the script file comprises:
    调用脚本验证方法对脚本文件进行签名验证。Call the script verification method to verify the signature of the script file.
  6. 如权利要求1-4任一项所述的方法,其中,对脚本文件进行签名验证的步骤包括:The method according to any one of claims 1-4, wherein the step of performing signature verification on the script file comprises:
    从脚本文件尾部获取注释信息,基于所述注释信息获取签名数据;获取脚本文件中的脚本内容;Obtain annotation information from the end of the script file, and obtain signature data based on the annotation information; obtain the script content in the script file;
    基于摘要算法计算所述脚本内容的第一摘要;calculating a first digest of the script content based on a digest algorithm;
    基于签名证书对所述签名数据进行解密,生成第二摘要;Decrypting the signature data based on the signature certificate to generate a second digest;
    对比第一摘要和第二摘要是否相同,如果相同,则验证成功。Compare whether the first digest and the second digest are the same. If they are the same, the verification is successful.
  7. 如权利要求6所述的方法,其中,基于签名证书对所述签名数据进行解密的步骤包括:The method of claim 6, wherein the step of decrypting the signature data based on the signature certificate comprises:
    将所述签名数据转换为预定结构的签名信息;converting the signature data into signature information of a predetermined structure;
    对签名证书进行验证,以便验证脚本文件的发布者身份;Verification of the signing certificate in order to verify the identity of the publisher of the script file;
    基于签名证书对所述签名信息进行解密,生成第二摘要。The signature information is decrypted based on the signature certificate to generate a second digest.
  8. 一种脚本签名方法,在计算设备中执行,包括步骤:A script signing method, executed in a computing device, comprising the steps of:
    获取脚本文件中的脚本内容;Get the script content in the script file;
    基于摘要算法计算所述脚本内容的摘要;computing a digest of the script content based on a digest algorithm;
    基于私钥对所述摘要进行签名,生成签名信息,并将所述签名信息转换为签名数据;以及Signing the digest based on the private key, generating signature information, and converting the signature information into signature data; and
    基于注释方法将所述签名数据添加到脚本文件尾部,以作为所述脚本文件的注释信息。The signature data is added to the end of the script file based on a comment method to serve as comment information of the script file.
  9. 一种计算设备,包括:A computing device comprising:
    至少一个处理器;以及at least one processor; and
    存储器,存储有程序指令,其中,所述程序指令被配置为适于由所述至少一个处理器执行,所述程序指令包括用于执行如权利要求1-8中任一项所述的方法的指令。a memory storing program instructions, wherein the program instructions are configured to be adapted to be executed by the at least one processor, the program instructions comprising means for performing the method of any of claims 1-8 instruction.
  10. 一种存储有程序指令的可读存储介质,当所述程序指令被计算设备读取并执行时,使得所述计算设备执行如权利要求1-8中任一项所述方法。A readable storage medium storing program instructions which, when read and executed by a computing device, cause the computing device to perform the method according to any one of claims 1-8.
PCT/CN2021/129672 2021-04-23 2021-11-10 Script verification method, script signing method, and computing device WO2022222437A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110439984.3A CN112860240B (en) 2021-04-23 2021-04-23 Script verification method, script signature method and computing device
CN202110439984.3 2021-04-23

Publications (1)

Publication Number Publication Date
WO2022222437A1 true WO2022222437A1 (en) 2022-10-27

Family

ID=75992723

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/129672 WO2022222437A1 (en) 2021-04-23 2021-11-10 Script verification method, script signing method, and computing device

Country Status (2)

Country Link
CN (1) CN112860240B (en)
WO (1) WO2022222437A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112860240B (en) * 2021-04-23 2021-07-16 武汉深之度科技有限公司 Script verification method, script signature method and computing device
CN114282222B (en) * 2021-12-16 2023-03-24 上海健交科技服务有限责任公司 Trusted script loading and executing method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101739340A (en) * 2009-12-17 2010-06-16 金蝶软件(中国)有限公司 Method and device for verifying script file
CN102244659A (en) * 2011-06-30 2011-11-16 成都市华为赛门铁克科技有限公司 Execution method and apparatus of security policy script and security policy system
US20160077816A1 (en) * 2014-09-15 2016-03-17 International Business Machines Corporation Systems management based on semantic models and low-level runtime state
CN111914250A (en) * 2020-08-18 2020-11-10 中科方德软件有限公司 Linux system script program running verification and management and control method
CN112507685A (en) * 2020-11-30 2021-03-16 锐捷网络股份有限公司 YANG file verification method and device, electronic equipment and storage medium
CN112860240A (en) * 2021-04-23 2021-05-28 武汉深之度科技有限公司 Script verification method, script signature method and computing device

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7707634B2 (en) * 2004-01-30 2010-04-27 Microsoft Corporation System and method for detecting malware in executable scripts according to its functionality
CN101951605A (en) * 2010-09-14 2011-01-19 浙江大学 Digital signature method of movable Widget
CN103400063A (en) * 2013-08-06 2013-11-20 深信服网络科技(深圳)有限公司 Method and device for executing script file
EP3440821B1 (en) * 2016-04-06 2022-08-24 Karamba Security Secure controller operation and malware prevention
US11528611B2 (en) * 2018-03-14 2022-12-13 Rose Margaret Smith Method and system for IoT code and configuration using smart contracts
CN110413268B (en) * 2018-04-28 2023-11-10 武汉斗鱼网络科技有限公司 Middleware verification method, storage medium, equipment and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101739340A (en) * 2009-12-17 2010-06-16 金蝶软件(中国)有限公司 Method and device for verifying script file
CN102244659A (en) * 2011-06-30 2011-11-16 成都市华为赛门铁克科技有限公司 Execution method and apparatus of security policy script and security policy system
US20160077816A1 (en) * 2014-09-15 2016-03-17 International Business Machines Corporation Systems management based on semantic models and low-level runtime state
CN111914250A (en) * 2020-08-18 2020-11-10 中科方德软件有限公司 Linux system script program running verification and management and control method
CN112507685A (en) * 2020-11-30 2021-03-16 锐捷网络股份有限公司 YANG file verification method and device, electronic equipment and storage medium
CN112860240A (en) * 2021-04-23 2021-05-28 武汉深之度科技有限公司 Script verification method, script signature method and computing device

Also Published As

Publication number Publication date
CN112860240B (en) 2021-07-16
CN112860240A (en) 2021-05-28

Similar Documents

Publication Publication Date Title
US10341119B2 (en) Apparatuses and methods for trusted module execution
WO2022222437A1 (en) Script verification method, script signing method, and computing device
WO2019153544A1 (en) Annotation backend check method and apparatus, computer device and storage medium.
US9721101B2 (en) System wide root of trust chaining via signed applications
US9201642B2 (en) Extending platform trust during program updates
WO2019169759A1 (en) Apparatus and method for creating analog interface, and computer-readable storage medium
JP5748905B2 (en) System and method for storing a reference in a sandbox
US20140250291A1 (en) Continuation of trust for platform boot firmware
WO2022160733A1 (en) File signature method, computing device, and storage medium
JP2008537224A (en) Safe starting method and system
WO2022252466A1 (en) Application authorization method, computing device, and storage medium
AU2012262867A1 (en) System and method for preserving references in sandboxes
CN111291371A (en) Application program security verification method and device
US20220382874A1 (en) Secure computation environment
US11664970B2 (en) Providing access to a hardware resource based on a canary value
JP2021508880A (en) Terminal application management method, application server and terminal
CN112835628A (en) Server operating system booting method, device, equipment and medium
WO2019223094A1 (en) Block chain-based file protection method, and terminal device
WO2020233044A1 (en) Plug-in verification method and device, and server and computer-readable storage medium
CN113961086B (en) Shortcut key implementation method, computing device and storage medium
US10210334B2 (en) Systems and methods for software integrity assurance via validation using build-time integrity windows
CN115225285A (en) Trusted execution environment-based data security uplink implementation method
CN113849245A (en) Application program running method, computing device and storage medium
WO2023077610A1 (en) Data check method and apparatus, electronic device and computer readable storage medium
CN113139197B (en) Project label checking method and device and electronic equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21937659

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE