Say I have a scenario in which I have a few hundred remote PCs. These PCs never connect to the internet. At least once a month, someone is tasked with using a utility I control to load updated data onto a USB drive, carry it out to a remote PC and plug it in. The PC has software on it that knows how to import and install the data from the USB drive. I can update and control this software as well. I would like to start verifying the integrity and source of the data being loaded to these PCs to insure that no one has tampered with the data loaded to the USB drive. My idea is to hash all of the files contained on the USB drive, store these hashes corresponding to each file in an XML document, and digitally sign the XML document. The data is not encrypted; I don't care if someone else sees the data, I just don't want anyone tampering with it.
The issue I've run into is how to verify the signer of the XML document. Typical PKI practice would have me sign my public key with a certificate authority (CA) the remote PC trusts in order to verify my identity.
However, since these remote PCs never connect to the internet, I cannot guarantee that the remote PCs have up to date versions of public keys from or even know about a given CA. Is there a secure way for me to distribute certificate keys or another identity verification method I could use to accomplish this?
You do not need to have an Internet connection to use public-key cryptography, and this is exactly how I would approach this problem.
I don't think that you need a "CA." You simply need to have a known public key, e.g. embedded in your application, that can be used to decrypt the XML content and to verify its cryptographic signature. This will simultaneously take care of the matter of knowing that the XML comes from a trusted source (you ...), and that it has not been altered.
The XML file could be stored on the target system in encrypted form, and decrypted every time it is used. If concealment of the XML content is not important, it could be cryptographically signed.
