reply on: The Curious Case of Digital Signatures \ stacker news ~crypto

1571 sats \ 2 replies \ @Natalia 24 Feb \ on: The Curious Case of Digital Signatures crypto

practice 1. verifying the GPG Suite

found the public key in https://keybase.io/gpgtools and it's the same as the one showing in the site foot.

curl https://keybase.io/gpgtools/pgp_keys.asc | gpg --import

Imported the key and marked full trust.

verified the signature file.

8C31 E5A1 7DD5 D932 B448 FE1D E8A6 6448 0D9E 43F5

but it's showing one of the expired keys, I think it still meant the file is OK.

verified the hashes.

cd Downloads
echo "57468a4adc55d954ead4fe1f88b07eac1b70ada40fcbc810765fd521ef21eef1  GPG_Suite-2023.3.dmg" | shasum -a 256 -c -

GPG_Suite-2023.3.dmg: OK

am I doing it correctly? 👀

1175 sats \ 1 reply \ @ek OP 24 Feb

Ok haha, verifying the tool you use to verify is a funny special case. But very good idea and this gets deep and philosophical fast. 😔

but it's showing one of the expired keys, I think it still meant the file is OK.

I also think so

am I doing it correctly? 👀

Yes, you are doing great!

492 sats \ 0 replies \ @Natalia 24 Feb

well, it needs to start with verifying the tool before verifying other things. 🤓

and in this case, the software didn't sign too? and how can I tell is it sign or not? ( when do I need to do the sha256sum --check step )