Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security

Journal sllort's Journal: GPGP for Slashbots and Normal People 18

Journal by sllort

Since I've started posting anonymously and signing my posts, I've received a surprising number of emails along the following lines:

  • What's to keep me from signing my emails with your key?
  • Is this post yours?!?! (link)
  • How do I validate your signatures?
  • You idiot, signatures require a pen!!!

While I'm hoping that a large percentage of these emails are just people trying to troll me, I guess it's only fair that I present a quick HOWTO document for checking GPG signatures. You can use this document to determine whether or not a /. post was actually written by me (quite a few with my name on it aren't).

Step 1: Getting the software.

Windows users (Graphical Installer for GPG)
Source Code for all Unix users

If you're a Windows user, unzip the file and run the setup program. If you're a Unix user, you probably know what you're doing, i.e. ./configure;make;su -;make install. Additionally most modern Linux distributions (specifically RedHat) come with some version of GPG; just type 'gpg --version' to see if you have it.

Step 2: Getting my key

My key is available from Slashdot's public key hosting space: http://slashdot.org/~sllort/pubkey . All you need to do is save this web page (or its text contents) to a file somewhere on your hard drive, using wget in Linux or Save As in Windows. Next, you'll want to import my key. There are a number of ways to do this, but the best is probably to use the command line and 'gpg --import'. Just type 'gpg --import (name of my public key on your hard drive). Here's an example of how to do it in Linux:

[root@slashdot.org root]# wget http://slashdot.org/~sllort/pubkey;gpg --import pubkey
--12:47:15-- http://slashdot.org/%7Esllort/pubkey
                      => `pubkey.1'
Resolving slashdot.org... done.
Connecting to slashdot.org[64.28.67.150]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
        [ ] 1,298 181.08K/s
19:47:15 (181.08 KB/s) - `pubkey' saved [1298]

gpg: key E8D51376: not changed
gpg: Total number processed: 1
gpg: unchanged: 1

Your output will look a little different since you'll be importing a new key, not an old one.

Step 3: Validating a signature

This is somewhat tricky. Any post in which I use HTML formatting such as bold, italics, links, etc, must be copied from the HTML source, not from your browser. I try to avoid HTML formatting for just this reason, so if you don't see bold or italics, just highlight and copy the whole thing from '----BEGIN PGP' to 'END PGP SIGNATURE-----'. Nice Windows clients like NAI's PGP let you validate the contents of your clipboard (nice!) - this lets you highlight, right click, and press 'Validate PGP Signature'. The basic way to do this is to paste your selection into a file, save the file, and run 'gpg --verify' on the file like this:

[root@slashdot.org]# gpg --verify .sllortpost
gpg: Signature made Tue 29 Oct 2002 12:51:18 PM EST using DSA key ID E8D51376
gpg: Good signature from "Sibil Llort (sllort) "

If you see anything other than 'Good signature from Sibil Llort', you're reading content from one of my dilligent fanboy impersonators. Lucky you!

HTH, HAND,

-s.

This discussion has been archived. No new comments can be posted.

GPGP for Slashbots and Normal People More

GPGP for Slashbots and Normal People

Comments Filter:
  • I suppose there's a good reason you're posting with the PRE tag or whatever is causing me to be seeing a monospaced font rather than my default typface for your comments? That makes your posts visually annoying, which I think detracts from what you're trying to do/say/whatever.

    Just a thought, ignore as needed.
  • Firstly your compilation instructions are a bit off

    "./configure;make;su -;make install" should be "./configure;make;su;make install"

    Not a biggy, but I'm anal and that's why I'm telling you.

    Secondly, and more importantly, you don't need to save your message to a file in order to check it in Linux. You can do the following:

    $ gpg --verify
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    the idea was that the signature block was easier to cut & paste when it's monospaced. i personally have always preferred that characters line up on consecutive lines, but i guess if it's annoying people i could leave it out. can you verify this comment?

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: i am sllort [slashdot.org] and i post AC [slashdot.org]

    iD8DBQE9vtgjKpz2COjVE3YRAvfQAKC0y0tMjBfRTY3vu9LK HV 22PjmC3QCggc/B
    k9a6/jp4+Uer3jZCySjw1rk=
    =bviR
    - ----END PGP SIGNATURE-----
    ^D
    gpg: Signature made Tue Oct 29 19:49:07 2002 CET using DSA key ID E8D51376
    gpg: Good signature from "Sibil Llort (sllort) "
    Could not find a valid trust path to the key. Let's see whether we
    can assign some missing owner trust values.

    No path leading to one of our keys found.

    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner.
    gpg: Fingerprint: E6AC A016 2E8B A89D 7991 F16D 2A9C F608 E8D5 1376

    I have run "gpg --verify" and then pasted a post directly. I used Ctrl-D to end it. Easier than creating a file each time.

    God knows why I get the warning I do, but this is the first time I've used gpg. I get the same results if I create a file in any case.
    • It's some sort of a defense mechanism in PGP (and GPG). Normally when someone send her private key, it needs to be signed by someone else (someone that you mark as a person you can trust), so you can know it's really her key and not the key of some imposter/hacker.

      To avoid getting this warning, you need to mark Sllort's key as something you trust. However I haven't managed to do that, since the command requires specifying the "long UID" (yes, just writing "sllort" is not enough, unlike in PGP) and I don't feel like scanning the docs for knowing how to do that.
    • I checked the help text and found how to do it:

      run "gpg --edit-key sllort"
      then type "lsign" (to sign the key locally).
  • There seem a couple of problems with your technique. One is slashdot's lameness filter which will sometimes change the content of your message around a bit. And if your strategy catches on, they could decide to be malcious about it.

    Another problem is that it's too hard to verify every post. So someone who decides to pass himself off as you with a giberish signature might not be caught. If someone seriously decides to spoof you, you'll probably be the first one to notice, and you'll have to post a reply: 'He's not me, check the sig.'

    With that in mind, here is a better technique: Create a Journal topic, and whenever you post a comment, also post it to your journal topic. Include at the bottom of each comment a link titled 'To verify click here' which links to the Journal topic.

    This is, admittably, not nearly as geeky cool, but it may work better.

Slashdot Top Deals

Machines have less problems. I'd like to be a machine. -- Andy Warhol

Close