v2 Signatures (BIsign and BIkey), what is it, and why do you need it?

2011-11-23T01:10:00.001-08:00

What is it?

Signatures are public-private key pairs which can verify the authenticity of signed content (addons).
For general information on public-private key pairs, check out wikipedia.
For ARMA specific information, check out the BIKI.

Why do you need it?

As server admin
The main usage is preventing players to join with modified content (e.g cheating/causing havoc), or to join with content you do not authorize to be used on your server (e.g some sound or other mod).

When you enable signature protection on your server (In server.cfg; verifySignatures = 2; (or the older deprecated 1)),
you will have control over which addons/mods are allowed on your server, and users can only join with correctly signed and unmodified content.
If addons are signed with a versioned key, you can even deny different (older/newer) versions.
You can also sign the content with your own key for maximum control.

Apart from it being a measure against cheating (mostly important on public servers), it is also a technical aid - people joining with the wrong content (different versions, modified / corrupt), will notify the server and themselves that something is wrong.

As addon author
Providing signed content is mostly useful for the server admins using your content, so they can allow your public-key and thus use your content on their server.
Users can also verify the authenticity of downloaded content.

As player
For the player, only the content signatures (BIsign) are relevant, these will allow you to join a server with signature protection enabled, if the private key used to sign the content is allowed on the server.

Who should sign content?
Addon authors are recommended to sign their content.
Server Admins or distributors can also sign content for more fine grained control.

An addon can be signed with virtually unlimited keys, there is no real technical downside on having multiple BIsign files per addon. As long as one of the used keys is accepted by the server you intend to join.
Signatures are not owned by anyone but BIS (not considered content), and are free to be created and distributed by anyone.

What's new and important about v2?
v2 hardens the security e.g by more thorough verification of the game content.
v1 is known to be broken - aka, addons could be modified (e.g for cheating) and still pass the signature check.
There were several issues left in the early v2 implementation, but these should be resolved in latest OA v1.60betas.
Server admins are recommended to run v2 signatures enabled with the latest Betas (or official v1.60 release once out), and also enable BattlEye (combined they provide the highest level of protection).

How to create v2 compatible signatures?
Content has to be signed with the latest DSUtils contained in the BI Tools (v2.5.1 or newer).
There's no need to create a new public-private key pair, content can simply be signed by existing keys if preferred.
The BIsign files created with the new tools are also backwards compatible with v1.

Availability of v2 signatures?
Currently some mod authors have signed content with v2 signatures, a large part hasn't yet.
All mods on the Six Updater network have been signed by an additional key with v2 signatures, to help the community transition to v2 as soon as possible.

Difference with BattlEye?
Signature protection verifies authenticity of content (addons), while BattlEye actively protects the game from other known ways to cheat.
BattlEye also provides rcon remote admin capabilities. Check out the BattlEye page for more info.

BattlEye and Signature Protection supplement each other, and it is highly recommended to enable both.

Final notes
It is very much recommended to enable v2 signatures on any server, ASAP,
and to prefer joining servers with signatures enabled, preferably v2 (especially public servers), and also BattlEye enabled.
e.g Six Updater will show you the protection status (v1/v2, BattlEye) of a server so you can easily filter unprotected or badly protected servers.

Still found a working cheat/hack? Report it with as much details as possible as private ticket to the CIT: http://dev-heaven.net/projects/cis/wiki/CIT#How-to-report-a-bug

Please note, security features generally never offer absolute protection, however running with the latest full set of security measures should improve security, making it harder to cheat (and thus reducing the phenomenon).

Links

BIF: DSutils v2 release (signatures)

Sickboy

v2 Signatures (BIsign and BIkey), what is it, and why do you need it?