# -*- coding: utf-8 -*- import hashlib from cryptography.exceptions import InvalidSignature from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ec from .paths import REPO_SIG_FILE def verify_signature(file, signature): # Verifies ECDSA HMAC SHA512 signature of a file with open(REPO_SIG_FILE, 'rb') as f: pub_key = serialization.load_pem_public_key(f.read(), default_backend()) pub_key.verify(signature, file, ec.ECDSA(hashes.SHA512())) def verify_hash(file, expected_hash): # Verifies SHA512 hash of a file against expected hash sha512 = hashlib.sha512() with open(file, 'rb') as f: while True: data = f.read(65536) if not data: break sha512.update(data) if sha512.hexdigest() != expected_hash: raise InvalidSignature(file)