____________________
CRYPTOGRAPHY HOWTO
David K. Trudgett
____________________
Table of Contents
_________________
1. The OpenPGP Standard
2. Getting Set Up With OpenPGP Tools
3. How to Verify the Integrity and Authorship of Files in this Gopherhole
. 1. Downloading and Importing the Key from here
. 2. Obtaining the Public Key from a Public Keyserver
. 3. Verifying a Downloaded File Against its Signature
1 The OpenPGP Standard
======================
OpenPGP is the internet open standards take on Phil Zimmermann's
original PGP encryption program, and subsequent development of it. For
an overview, you may wish to refer to the [Pretty Good Privacy]
article on Wikipedia.
Many sources of information, including the [OpenPGP website] itself,
will tell you that OpenPGP is an email encryption standard. That is
not true. It is an open encryption standard which can be applied to
virtually anything, such as files, documents, whole disk contents, and
so on. It is also commonly applied to email communications; however,
it is not limited to that domain.
This gopherhole, for instance, uses OpenPGP (and, in particular, the
GnuPG implementation of it) to provide cryptographic signatures for
the main files which are available for download. When you verify these
signatures, you can be assured of two things:
1. The file was created by me; and
2. The file has not been altered in any way, shape or form since I
created and signed it. This also tells you that the file was not
corrupted during the download process.
[Pretty Good Privacy]
<
https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP>
[OpenPGP website] <
https://www.openpgp.org/>
2 Getting Set Up With OpenPGP Tools
===================================
All of the major platforms, such as Linux, BSD*, Mac OS, Windows, iOS
and Android, have OpenPGP implementations available for them.
If you have not yet read my Recipe for Freedom snippet, you should
consider doing so, as it contains further rationale and links to
practical things you can do increase privacy and freedom in general.
3 How to Verify the Integrity and Authorship of Files in this Gopherhole
========================================================================
Having installed and configured your OpenPGP implementation according
to the suggestions under the previous heading, you are now ready to
perform the simple steps required to verify the integrity and
authorship of the files you download from this gopherhole.
When you download a PDF article or image file from this gopherhole,
download its signature file at the same time. Do not wait until later
to download the signature file, for the simple reason that if the
document or file is updated in the gopherhole in the future, so will
its signature be updated, and you will never be able to verify the old
file because you do not have the old signature that goes with it. All
you could do in that case would be to download the updated file and
the updated signature and verify the new file only.
Once you have both the file and the signature that goes with it (named
the same, but with an additional `.sig' extension), then you are set
to verify the integrity of the file.
The first time you verify one of my files, you will need to retrieve
my public key to use in the verification process. This is a once-off
thing, which you will not need to repeat. You can get this key either
by downloading it directly from this gopherhole (in the `resources'
folder or main index), or by obtaining it from one of the public
"keyservers" that are out there.
3.1 Downloading and Importing the Key from here
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
These are the required steps:
1. Go to the main index or resouces folder of this gopherhole, and
find the link to download my public key, and download it to your
computer.
2. Use your keyring manager, for example, Kleopatra, to import the
downloaded public key (sometimes called a "certificate").
3. Use your keyring manager to check that the fingerprint of the
imported key matches the one published in this gopherhole or the
website.
You can generally also use a command line to do this, if you wish. For
example, to import a key from `some-key.asc':
,----
| $ gpg --import some-key.asc
`----
Downloading my key from here obviously assumes that the Torah Toolbox
gopherhole itself has not itself been compromised.
3.2 Obtaining the Public Key from a Public Keyserver
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There are only two steps required for this:
1. Use your keyring manager, for example, Kleopatra, to search for and
import my public key. Search for `
[email protected]'
2. Use your keyring manager to check that the fingerprint of the
imported key matches the one published in this gopherhole or the
website.
Using the `gpg' command line, you could do the same with the following
command:
,----
| $ gpg --search-keys
[email protected]
`----
3.3 Verifying a Downloaded File Against its Signature
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
With the `.sig' file and the document file in the same
folder/directory, follow these steps:
1. Open your keyring manager, for example, Kleopatra, and select the
option to verify a file. In Kleopatra, you may find this on the
toolbar, and it is called, "Decrypt/verify..."
2. Select the `.sig' file and choose "Open".
If all goes well, you will have a message displayed to you which says
that a valid signature from me (my email address) was found.
You can generally do the same thing using the command line, similar to
the following example:
,----
| $ gpg --verify the-name-of-the-article.pdf.sig
`----
and you should get results similar to:
,----
| gpg: assuming signed data in 'the-name-of-the-article.pdf'
| gpg: Signature made Thu 28 May 2020 09:31:29 AEST
| gpg: using RSA key B3F45566982B67549B1FE2865676F1279D1C2A91
| gpg: Good signature from "David Trudgett <David.Trudgett@emailaddress>"
`----
The example commands assume, of course, that you are using GnuPG.
