From 83901f06a1fef155fff453fc3fcbe8c73d543c91 Mon Sep 17 00:00:00 2001 From: Yarmo Mackenbach Date: Mon, 29 Jun 2020 10:23:03 +0200 Subject: [PATCH] Add guide --- pages/guides/verify.content.html | 51 ++++++++++++++++++++++++++++++++ pages/guides/verify.title.html | 1 + 2 files changed, 52 insertions(+) create mode 100644 pages/guides/verify.content.html create mode 100644 pages/guides/verify.title.html diff --git a/pages/guides/verify.content.html b/pages/guides/verify.content.html new file mode 100644 index 0000000..152ab9e --- /dev/null +++ b/pages/guides/verify.content.html @@ -0,0 +1,51 @@ +

Let's see how to verify an OpenPGP signature.

+ +

Obtain a signature

+ +

If you already have a signature you would like to verify, great! If not, let's use the following signature for the guide:

+-----BEGIN PGP SIGNED MESSAGE----- +
Hash: SHA256 +
+
I like pineapple. +
-----BEGIN PGP SIGNATURE----- +
+
iQJDBAEBCAAtFiEEog/Pt4tEmnyVrrtlNzZ/SvQIetEFAl70mVUPHHlhcm1vQHlh +cm1vLmV1AAoJEDc2f0r0CHrRQXIP/08uza9zOtmZXv5K+uPGVzDKwkgPgZJEezX7 +6iQ358f1pjSRvYfQ5aB13k2epUHoqCKArMYu1zPqxhvLvvAvp8uOHABnr9NGL3El +u7UUgaeUNHkr0gxCKEq3p81abrrbbWveP8OBP4RyxmaFx13Xcj7mfDluiBHmjVvv +WU09EdH9VPlJ7WfZ+2G2ZZDHuE5XiaeP7ocugTxXXLkp33zwpDX0+ZuCIXM6fQGe +OccSffglFPdNBnfasuuxDWxTQPsEbWGOPJV+CAPmBDeApX+TBF9bovO3hw4Uozk2 +VT7EAy8Hb0SOrUb3UNGxzoKv++5676IxyB4JXX0Tr9O4ZxhO8o9pEEHwirtn/J1+ +MWven4gVlWM/6bMeUqx6ydyNc2nqF5059yfRmwGMlp09x82G4x1bcf6aDZ+5njDG +fS5T2OpXRIkZHJx8BhmZjsxiDR0KV44zwHpt06+96ef3EDWB0BcP6M+a5Rtc33zf +irRmQd2M6RLyXCYtdGIiiAFRuomw802U4F0P4LwVrZdbGA6ObqBv1k8BUFCMbMz8 +Ab4hF7kO4z0Vh3JaKzcHey0pOzdNCPpAHZ51sAoAnFDM4PdMBgQxxVweCMu4KYMZ +FN8sNn42oY/b7gDmwCelVhgD+rvUn/a8+B7CDmCp+wIquyrjrTt00voATcb+ZPMJ +
pTXJ/NcM +
=rqTX +
-----END PGP SIGNATURE----- +
+ +

Copy the above signature.

+ +

Verify the signature

+ +

Open the keyoxide.org/verify page and paste the signature in the corresponding field.

+

Scroll down and press the VERIFY SIGNATURE button.

+

Keyoxide lets you know the signature was verified and signed by a certain person.

+ +

Verify the signature against a specific public key

+ +

Sometimes, you want to know if a specific person or public key was used to create a signature. In this case, let's figure out if the message was signed by Yarmo's public key or his friend Wiktor's public key.

+ +

Copy the following fingerprint:

+653909A2F0E37C106F5FAF546C8857E0D8E8F074 +

Paste it in the Email / key id / fingerprint field under Public Key (3: HKP server) and press the big button again. It could not be verified. Guess it wasn't Wiktor who signed that message.

+ +

Now, copy the following fingerprint:

+9f0048ac0b23301e1f77e994909f6bd6f80f485d +

Paste it in the same field and press the big button again. It did verify! It was Yarmo all along.

+ +

Going further

+ +

You could try using different mechanisms of fetching keys, such as web key directory or copy-pasting a plaintext public key.

diff --git a/pages/guides/verify.title.html b/pages/guides/verify.title.html new file mode 100644 index 0000000..1d01185 --- /dev/null +++ b/pages/guides/verify.title.html @@ -0,0 +1 @@ +Verifying a signature