reply on: The Curious Case of Digital Signatures \ stacker news ~crypto

pull down to refresh

473 sats \ 38 replies \ @Natalia 24 Feb \ parent \ on: The Curious Case of Digital Signatures crypto

deleted by author

480 sats \ 37 replies \ @ek OP 24 Feb freebie

Yes. The "asc" is the (detached) signature.

The hardest part is verifying the public key but most people just skip that lol

0 sats \ 6 replies \ @Natalia 25 Feb

now I finally understand what you mean here, why not just put each dev's key in GitHub 😨

0 sats \ 5 replies \ @ek OP 25 Feb freebie

Best way is to spread your key fingerprint around imo.

If you only use one site as the source of trust, it's a single point of failure. Even if it's Github.

I have to do that myself, still figuring things out around PGP keys

412 sats \ 29 replies \ @Natalia 24 Feb freebie

deleted by author

346 sats \ 28 replies \ @ek OP 24 Feb freebie

To be fair, I think if the instructions mention to import the key from a site like Keybase like Sparrow does, I think it's fine. Most important thing is to not import the public key from the same site you received everything else and I think if people just follow instructions, they automatically do that.

It just makes me feel uneasy if people are not aware that this is important. The why's and so on.

589 sats \ 27 replies \ @Natalia 24 Feb

deleted by author

0 sats \ 26 replies \ @ek OP 24 Feb

Haha yes. Like a secret key hidden in plain sight.

0 sats \ 25 replies \ @Natalia 24 Feb

deleted by author

359 sats \ 24 replies \ @ek OP 24 Feb

~~Yes~~

~~You just summarized my post with a few words haha~~

Wait, no. The dev signs the software (or whatever). The signature IS the hash "encrypted" with the private key.

0 sats \ 23 replies \ @Natalia 24 Feb

deleted by author

view replies