346 sats \ 28 replies \ @ek OP 24 Feb \ parent \ on: The Curious Case of Digital Signatures crypto
To be fair, I think if the instructions mention to import the key from a site like Keybase like Sparrow does, I think it's fine. Most important thing is to not import the public key from the same site you received everything else and I think if people just follow instructions, they automatically do that.
It just makes me feel uneasy if people are not aware that this is important. The why's and so on.
It just makes me feel uneasy if people are not aware that this is important.
like @DarthCoin say - education is key 🔑
reply
Haha yes. Like a secret key hidden in plain sight.
reply
is my understanding correct?
the logic behind this is the dev uses his private key to sign the signature ( asc ) which then hash the software.
reply
Wait, no. The dev signs the software (or whatever). The signature IS the hash "encrypted" with the private key.
reply
hmmmm, I need to do more practice to understand it better, and I still don't get the part when you need to do the checksum or not? 👀
reply
deleted by author
reply
reply
did you use a new key to sign that?
No, I just used
gpg --clearsign. I just hoped it would pick the right key haha.Due to the markdown formatting, it might get tricky, but you should be able to use go to #437477/edit to see the raw formatting.
edit: Oh no, it picked a wrong GPG secret key 🙈
Will post new message with my ekzyis@ekzyis.com GPG key
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I still don't get the part when you need to do the checksum or not? 👀
No worries! This means I didn't explain well enough (among other things) 👀
You need to do the checksum stuff when the name of the signature file without .asc at the end is not the same as the software you downloaded.
Examples:
- Electrum: Signature is named
electrum-4.5.3.dmg.ascand software is namedelectrum-4.5.3.dmg. This means the software was signed. - Sparrow: Signature is named
sparrow-1.8.2-manifest.txt.ascand software is namedSparrow-1.8.2-x86_64.dmg. This means that the software was not signed butSparrow-1.8.2-manifest.txt.
So it depends on what was signed. You can sign anything. Like I just signed this message. Try to verify the signature :)
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEER3BdefVXE2Q1VvSZ7Ow39o+3M5gFAmXaJGUSHGVrenlpc0Bl
a3p5aXMuY29tAAoJEOzsN/aPtzOYTCIP/1pMj/AJGDa3BKXDbB7Uc5lZ5agsPlTw
0p+eP9zIFUdcFNNTF5UZRi/QJn2deD/9fkSG/cBcTE0wH7cK0HRNl+fQ3balNOta
ublTjOnbEEp+2LcAoxfbjvvywjxW9QL7N9JLJ5yOfrLUpWS0w8OM6u5Z+gPBsYGG
NaJyigh7cSAx/uAgNMFKA+aidGaqG+oBGtK2xxqdj2T0kukydc2l2sl40/sotRB/
Q+4xmOrg0o+dXXAiorlgFaX8o+bPKk1O4bnDFClQW+m3/PajWEJaOGS50KD2kbmi
GweFZSooAgkzH4t5WRoTLtzdAqu5oM5idRkklNCJaXSpCYLFrgp6mTLiIOwqG6fd
JOSIZQv4h12G210fhNu3k0xr9Y4fXrYM5bH+uH3JUeUATXMIZbx4mN5iIlMLA68r
r+9yT43UgHcUFqRxg8SxCPY0CcIAm+djdfvcv3eY1I8HsxEaL/84gS+WqgPmvTZ3
LmX8Tq4lsl7lVy46efaFxP2yXU4hCriWlfuIf/7/ddgiwdKxiFHBzHzbuWcGdq9Z
x2hbFAIMj3850IpkTPLlfYypFmvniLqEEWK38Lb3518m/+Bv40gJFwAimPXgZUK6
6TJqKEchtk71J8KabB2bLCHae0AVj1mOFx3z890pU5gmoQXDEhWZ6gz8wVTzN5zY
PVfJJYgeWN/s
=oo4+
-----END PGP SIGNATURE-----
reply
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
verified, signed from the @ek who taught me about PGP. 😎
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEA0IF2zsVA57DXnY67ygEF1PLI20FAmXaJqQACgkQ7ygEF1PL
I23F3g/9HGklWN5LvyiF+dtyFtWoSfRJQKVVlTgoF3IAq3CDP8/a7YTF3FhtF8LS
7hH0lDS6nZ1URRGbxckoMeDIdXySkXDWYz+mXzrCpFmMiu73cgdvU1g/XHuCeG9b
ugG1mK4VN7HlnzakDc9XBpsaB3dMc2LiFoI/jGqIkdASo5rxccQ1k946weTTUUWq
Ygkf0lsRhz0l1bbRVc3eoMp5az0kxKMDY2readQz5gr9UkRmiPc5IQZTlELcQhxK
+HiuJ/DhyvFnA0++YIOrgR91SuK/VYgBZUMeySqaddz1K4RH+QvlweWXg4Scqapn
6BtRQPuO81s7juIZt/XjibQD/bsV0r5iOlb10C1BWRT9Btbe3X4s6nm9AaNmUaPL
YyoU78+BnQlWUck2I2+djktU6wbod7fCiOCyrrA5vE6UPB/ONLprou7lOXWLsobO
lqjaEzIZF5vqBxrpUuoJzHNsMOQ1Ane0oV4s8lXH7q2Zqkl99vfnnCd4/pQqZO72
8ZNtIrs/QAUpLjtyH7lY9fND6QXl97NEMVmhhM5Iz/mLSvYPo/PbLCaBJwZV+ky3
5rIXleM4KqvD/IgsrZNRwe9UMM7tBWylw/QERgW0vwVZvUMUApL5+oaYPSNwGpzl
S0XG+eX6lK4HSifEpxLHlLPbSNCtU9srnz6rK2giKYQvD6JBc5c=
=IQfZ
-----END PGP SIGNATURE-----