reply on: The Curious Case of Digital Signatures \ stacker news ~crypto

412 sats \ 29 replies \ @Natalia 24 Feb \ parent \ on: The Curious Case of Digital Signatures crypto

how hard can it be, all you need to do is to search. 😂

To be fair, I think if the instructions mention to import the key from a site like Keybase like Sparrow does, I think it's fine. Most important thing is to not import the public key from the same site you received everything else and I think if people just follow instructions, they automatically do that.

It just makes me feel uneasy if people are not aware that this is important. The why's and so on.

589 sats \ 27 replies \ @Natalia 24 Feb

It just makes me feel uneasy if people are not aware that this is important.

like @DarthCoin say - education is key 🔑

0 sats \ 26 replies \ @ek OP 24 Feb

Haha yes. Like a secret key hidden in plain sight.

0 sats \ 25 replies \ @Natalia 24 Feb

is my understanding correct?

the logic behind this is the dev uses his private key to sign the signature ( asc ) which then hash the software.

359 sats \ 24 replies \ @ek OP 24 Feb

~~Yes~~

~~You just summarized my post with a few words haha~~

Wait, no. The dev signs the software (or whatever). The signature IS the hash "encrypted" with the private key.

0 sats \ 23 replies \ @Natalia 24 Feb

hmmmm, I need to do more practice to understand it better, and I still don't get the part when you need to do the checksum or not? 👀

2222 sats \ 22 replies \ @ek OP 24 Feb

deleted by author

492 sats \ 6 replies \ @Natalia 24 Feb

madness 😂

so if abcd.dmg.asc with abcd.dmg - no need. but abcdfrfsve.dmg.asc with abcd.dmg - need.

did you use a new key to sign that?

view replies

0 sats \ 14 replies \ @ek OP 24 Feb

used wrong GPG secret key above, lol

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

I still don't get the part when you need to do the checksum or not? 👀

No worries! This means I didn't explain well enough (among other things) 👀

You need to do the checksum stuff when the name of the signature file without .asc at the end is not the same as the software you downloaded.

Examples:

Electrum: Signature is named electrum-4.5.3.dmg.asc and software is named electrum-4.5.3.dmg. This means the software was signed.
Sparrow: Signature is named sparrow-1.8.2-manifest.txt.asc and software is named Sparrow-1.8.2-x86_64.dmg. This means that the software was not signed but Sparrow-1.8.2-manifest.txt.

So it depends on what was signed. You can sign anything. Like I just signed this message. Try to verify the signature :)

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEER3BdefVXE2Q1VvSZ7Ow39o+3M5gFAmXaJGUSHGVrenlpc0Bl a3p5aXMuY29tAAoJEOzsN/aPtzOYTCIP/1pMj/AJGDa3BKXDbB7Uc5lZ5agsPlTw 0p+eP9zIFUdcFNNTF5UZRi/QJn2deD/9fkSG/cBcTE0wH7cK0HRNl+fQ3balNOta ublTjOnbEEp+2LcAoxfbjvvywjxW9QL7N9JLJ5yOfrLUpWS0w8OM6u5Z+gPBsYGG NaJyigh7cSAx/uAgNMFKA+aidGaqG+oBGtK2xxqdj2T0kukydc2l2sl40/sotRB/ Q+4xmOrg0o+dXXAiorlgFaX8o+bPKk1O4bnDFClQW+m3/PajWEJaOGS50KD2kbmi GweFZSooAgkzH4t5WRoTLtzdAqu5oM5idRkklNCJaXSpCYLFrgp6mTLiIOwqG6fd JOSIZQv4h12G210fhNu3k0xr9Y4fXrYM5bH+uH3JUeUATXMIZbx4mN5iIlMLA68r r+9yT43UgHcUFqRxg8SxCPY0CcIAm+djdfvcv3eY1I8HsxEaL/84gS+WqgPmvTZ3 LmX8Tq4lsl7lVy46efaFxP2yXU4hCriWlfuIf/7/ddgiwdKxiFHBzHzbuWcGdq9Z x2hbFAIMj3850IpkTPLlfYypFmvniLqEEWK38Lb3518m/+Bv40gJFwAimPXgZUK6 6TJqKEchtk71J8KabB2bLCHae0AVj1mOFx3z890pU5gmoQXDEhWZ6gz8wVTzN5zY PVfJJYgeWN/s =oo4+ -----END PGP SIGNATURE-----

view replies