Collaborate Disseminate
Is there an online tool which allows users to verify that an armoured, detached PGP signature for a file is valid?
The closest thing I found was PGPTool.org, which is quite nice but unfortunately does not cater for detached signatures.
I’m… Continue reading User-Friendly PGP Verification tool [migrated]
I have a gpg key linked to my identity and real email address. I also use github with their private email functionality "id+username@users.noreply.github.com", which I set as my git email. The purpose is to avoid bots doing data … Continue reading Do git commit signatures reveal key uid if different from git email?
Context:
I’m filling my taxes and my country requires me to upload certain documents from my employer to verify the numbers I give to the government. These documents are "digitally signed", like so:
Now, before I use these certi… Continue reading What exactly happens when I "validate" a digital signature?
Considering an HMAC algorithm: it shall guarantee integrity and authenticity. I don’t understand what authenticity means: that signature could be generated by anyone having the shared secret key (non repudiation is not supported in symmetr… Continue reading I don’t undertand the meaning of ‘Authenticity’ property [migrated]
The link here, https://www.openssl.org/docs/manmaster/man7/Ed25519.html, contains C-code that works just perfect to sign a message using Ed25519 in a C/C++ program.
But I just can’t find any corresponding code to verify a signed message.
A… Continue reading Code sample (OpenSSL – EVP) of verifying signed Ed25599 content
The use-case is as follows:
There is a signer that have a claim or document D who wants any client to be able to verify that D has not been tampered with.
I suppose one way to do this is to use assymetric encryption where: E = encrypt(D, K… Continue reading Encrypting content with assymetric key pairs as a form of signing
Problem
For some reason I forgot the passphrase for my GnuPG signing subkey, but I have my master key stored in a separate device. Is there a way to regain access to my subkey? Or should I replace my old subkey with a new one hoping the ol… Continue reading Reset forgotten subkey password using master key?
Scenario A: Suppose I have an .exe file, the provider offers a sha1 txt file with hash value and this txt file is gpg signed. So I check if the hash value matches the exe file and then download the key either from the keyserver or directly… Continue reading Is it normal, that some companies just sign the txt file which contains the sha value of the program?
When one desires to share their public key openly, besides sharing just the key itself:
How does one verify that the key belongs to who it claims to be owned by?
What is the use case of the key’s fingerprint?
Is there a benefit to create … Continue reading Best practices for verifying authenticity of public key
I know about the trust web in PGP. When you sign a key, everybody that trusts you will trust the person with that key. But what is the point of self-signing a key when anybody else can do that with his own key-pair?
Continue reading Why a public key must be signed with its private pair in PGP