Journal sllort's Journal: GPGP for Slashbots and Normal People 18
Since I've started posting anonymously and signing my posts, I've received a surprising number of emails along the following lines:
- What's to keep me from signing my emails with your key?
- Is this post yours?!?! (link)
- How do I validate your signatures?
- You idiot, signatures require a pen!!!
While I'm hoping that a large percentage of these emails are just people trying to troll me, I guess it's only fair that I present a quick HOWTO document for checking GPG signatures. You can use this document to determine whether or not a
Step 1: Getting the software.
Windows users (Graphical Installer for GPG)
Source Code for all Unix users
If you're a Windows user, unzip the file and run the setup program. If you're a Unix user, you probably know what you're doing, i.e.
Step 2: Getting my key
My key is available from Slashdot's public key hosting space: http://slashdot.org/~sllort/pubkey . All you need to do is save this web page (or its text contents) to a file somewhere on your hard drive, using wget in Linux or Save As in Windows. Next, you'll want to import my key. There are a number of ways to do this, but the best is probably to use the command line and 'gpg --import'. Just type 'gpg --import (name of my public key on your hard drive). Here's an example of how to do it in Linux:
[root@slashdot.org root]# wget http://slashdot.org/~sllort/pubkey;gpg --import pubkey
--12:47:15-- http://slashdot.org/%7Esllort/pubkey
=> `pubkey.1'
Resolving slashdot.org... done.
Connecting to slashdot.org[64.28.67.150]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
[ ] 1,298 181.08K/s
19:47:15 (181.08 KB/s) - `pubkey' saved [1298]
gpg: key E8D51376: not changed
gpg: Total number processed: 1
gpg: unchanged: 1
Your output will look a little different since you'll be importing a new key, not an old one.
Step 3: Validating a signature
This is somewhat tricky. Any post in which I use HTML formatting such as bold, italics, links, etc, must be copied from the HTML source, not from your browser. I try to avoid HTML formatting for just this reason, so if you don't see bold or italics, just highlight and copy the whole thing from '----BEGIN PGP' to 'END PGP SIGNATURE-----'. Nice Windows clients like NAI's PGP let you validate the contents of your clipboard (nice!) - this lets you highlight, right click, and press 'Validate PGP Signature'. The basic way to do this is to paste your selection into a file, save the file, and run 'gpg --verify' on the file like this:
[root@slashdot.org]# gpg --verify
gpg: Signature made Tue 29 Oct 2002 12:51:18 PM EST using DSA key ID E8D51376
gpg: Good signature from "Sibil Llort (sllort) "
If you see anything other than 'Good signature from Sibil Llort', you're reading content from one of my dilligent fanboy impersonators. Lucky you!
HTH, HAND,
-s.
Monospace (Score:1)
Just a thought, ignore as needed.
Re:Monospace (Score:1)
E:\Dumpster>gpg --verify sllort.txt
gpg: no signed data
gpg: can't hash datafile: file open error
I have this problem when I either save the comment as a file or when I just paste it into GPG.
Messages posted in "code" mode, or fixed size font work fine. Very weird.. maybe slashdot mangles the signature when you post in "plain old text" mode? Maybe this problem is specific to GPG-windows? I didn't see any differences between the signatures.
Btw: Mozilla has a very useful feature - when you mark text with it and then right click, you get the option "view selection source" and then you can easily copy the selected HTML. Unfortunately GPG still fails to verify it.
Re:Monospace (Score:1)
Oh, and guess what? I've found the problem. If I copy the parent comment with IE, it verifies just fine! Bad Mozilla!
I'll try finding what's different between the 2 pastings.
A-ha! (Score:1)
Mozilla (for windows?) ads a signle extra space before the "-----BEGIN" if you mark only the text you want to copy, and that makes the entire message invalid. If you start marking with the slashdot comment header, then moz won't add that extra space.
Further inspection (Score:1)
Solution: Start your message with a blank line or something like <b></b>.
I wonder how many people actually installed GPG because of you.
A couple of things (Score:1)
"./configure;make;su -;make install" should be "./configure;make;su;make install"
Not a biggy, but I'm anal and that's why I'm telling you.
Secondly, and more importantly, you don't need to save your message to a file in order to check it in Linux. You can do the following:
$ gpg --verify
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
the idea was that the signature block was easier to cut & paste when it's monospaced. i personally have always preferred that characters line up on consecutive lines, but i guess if it's annoying people i could leave it out. can you verify this comment?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: i am sllort [slashdot.org] and i post AC [slashdot.org]
iD8DBQE9vtgjKpz2COjVE3YRAvfQAKC0y0tMjBfRTY3vu9L
k9a6/jp4+Uer3jZCySjw1rk=
=bviR
^D
gpg: Signature made Tue Oct 29 19:49:07 2002 CET using DSA key ID E8D51376
gpg: Good signature from "Sibil Llort (sllort) "
Could not find a valid trust path to the key. Let's see whether we
can assign some missing owner trust values.
No path leading to one of our keys found.
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
gpg: Fingerprint: E6AC A016 2E8B A89D 7991 F16D 2A9C F608 E8D5 1376
I have run "gpg --verify" and then pasted a post directly. I used Ctrl-D to end it. Easier than creating a file each time.
God knows why I get the warning I do, but this is the first time I've used gpg. I get the same results if I create a file in any case.
The warning (Score:1)
To avoid getting this warning, you need to mark Sllort's key as something you trust. However I haven't managed to do that, since the command requires specifying the "long UID" (yes, just writing "sllort" is not enough, unlike in PGP) and I don't feel like scanning the docs for knowing how to do that.
How to fix (Score:1)
run "gpg --edit-key sllort"
then type "lsign" (to sign the key locally).
Suggestions (Score:2)
Another problem is that it's too hard to verify every post. So someone who decides to pass himself off as you with a giberish signature might not be caught. If someone seriously decides to spoof you, you'll probably be the first one to notice, and you'll have to post a reply: 'He's not me, check the sig.'
With that in mind, here is a better technique: Create a Journal topic, and whenever you post a comment, also post it to your journal topic. Include at the bottom of each comment a link titled 'To verify click here' which links to the Journal topic.
This is, admittably, not nearly as geeky cool, but it may work better.
Re:Suggestions (Score:2)
Re:Suggestions (Score:2)
There is really no reason to make your verification posts part of the slashdot system, though. You can post those anywhere--on other bulletin boards, on USENET, as long as you provide a link.