pull down to refresh

It just makes me feel uneasy if people are not aware that this is important.
like @DarthCoin say - education is key 🔑
Haha yes. Like a secret key hidden in plain sight.
reply
is my understanding correct?
the logic behind this is the dev uses his private key to sign the signature ( asc ) which then hash the software.
reply
359 sats \ 24 replies \ @ek OP 24 Feb
Yes
You just summarized my post with a few words haha
Wait, no. The dev signs the software (or whatever). The signature IS the hash "encrypted" with the private key.
reply
hmmmm, I need to do more practice to understand it better, and I still don't get the part when you need to do the checksum or not? 👀
reply
deleted by author
reply
madness 😂
so if abcd.dmg.asc with abcd.dmg - no need. but abcdfrfsve.dmg.asc with abcd.dmg - need.
did you use a new key to sign that?
reply
did you use a new key to sign that?
No, I just used gpg --clearsign. I just hoped it would pick the right key haha.
Due to the markdown formatting, it might get tricky, but you should be able to use go to #437477/edit to see the raw formatting.
edit: Oh no, it picked a wrong GPG secret key 🙈
Will post new message with my ekzyis@ekzyis.com GPG key
deleted by author
reply
1568 sats \ 1 reply \ @Natalia 24 Feb
a real LIVE time learning! too much fun, thanks for your kindness and patience @ek
May the patience will always with you!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I, @ek, author of The Curious Case of Digital Signatures, a post that received 20k+ sats on SN, the first of his nym, hereby vouch for the GPG skills of @Natalia, the first of her nym (on SN at least), a stacker with multiple good posts on SN (see profile), one even in the all-time top posts (at the time of writing this).
May the force of verifying digital signatures be with her forever.
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEER3BdefVXE2Q1VvSZ7Ow39o+3M5gFAmXaJRUSHGVrenlpc0Bl a3p5aXMuY29tAAoJEOzsN/aPtzOYGB8QAL2x1Cnrv4K9U/FcbmbFt/2XNEHNGcus PYgMI7JFmUlGQlMkVetQhtPyeaWsbwdAN3yzljTpNEA6nTykkfsY+V6QrJD59J62 Lg1c5ENr7kkjE5dZLPGzsHpzi5KA6nUUjWKhBLOQavnPkSeo28zy4wa9kRYvmm21 qNCA81Eo5CZKR4T9JMJU6ShvGgZRC+UnfSJXIoYVwnvqQ8DJ/8OIxuEk/vd6cQYw rgLEiVCWwccE0zdJSzgktHPFxoB84ZG4q5gJXeD81l/BwGMyY3N9j9dOjhDtmzEy HjUO6P+ltktzRYNUzanzXKEZAGbugcbO+Nv3DrCzBcNp360hmeHR5WXHyo9W6knW uOp6qyeUoHzEDPTvIaZfJCopZ0kWl3w3RK19R172EEuG/V51TZ4GIzGG6QDNGQM5 SMbZGEIdobdcAY8zk1I8eC2uUrYOORuXFWZANQrU+rS9+BwstbFRDBcX9v7bFp+Y Gf2xzTpPjj2KIWi3hXDhZ/9VfseIWxNBu/hir4c38GUDzHDmSIVKtTBu4+OGDmYw J/okXZPF1qz6tHy47vPmHdHcGo7fhENL8iFvW0x7m3b3Ce8m2NviE4YPl8DC1igw 5aJrsFk3F2e81j8b8SaDGYeSwjuMXNryNccrJfITih0sZMXokIzAVr1LfCaRfgLp BcYN2WurK4qy =8itW -----END PGP SIGNATURE-----
let me do more practice to verify this newly learned skills 🥁
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I still don't get the part when you need to do the checksum or not? 👀
No worries! This means I didn't explain well enough (among other things) 👀
You need to do the checksum stuff when the name of the signature file without .asc at the end is not the same as the software you downloaded.
Examples:
  1. Electrum: Signature is named electrum-4.5.3.dmg.asc and software is named electrum-4.5.3.dmg. This means the software was signed.
  2. Sparrow: Signature is named sparrow-1.8.2-manifest.txt.asc and software is named Sparrow-1.8.2-x86_64.dmg. This means that the software was not signed but Sparrow-1.8.2-manifest.txt.
So it depends on what was signed. You can sign anything. Like I just signed this message. Try to verify the signature :)
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEER3BdefVXE2Q1VvSZ7Ow39o+3M5gFAmXaJGUSHGVrenlpc0Bl a3p5aXMuY29tAAoJEOzsN/aPtzOYTCIP/1pMj/AJGDa3BKXDbB7Uc5lZ5agsPlTw 0p+eP9zIFUdcFNNTF5UZRi/QJn2deD/9fkSG/cBcTE0wH7cK0HRNl+fQ3balNOta ublTjOnbEEp+2LcAoxfbjvvywjxW9QL7N9JLJ5yOfrLUpWS0w8OM6u5Z+gPBsYGG NaJyigh7cSAx/uAgNMFKA+aidGaqG+oBGtK2xxqdj2T0kukydc2l2sl40/sotRB/ Q+4xmOrg0o+dXXAiorlgFaX8o+bPKk1O4bnDFClQW+m3/PajWEJaOGS50KD2kbmi GweFZSooAgkzH4t5WRoTLtzdAqu5oM5idRkklNCJaXSpCYLFrgp6mTLiIOwqG6fd JOSIZQv4h12G210fhNu3k0xr9Y4fXrYM5bH+uH3JUeUATXMIZbx4mN5iIlMLA68r r+9yT43UgHcUFqRxg8SxCPY0CcIAm+djdfvcv3eY1I8HsxEaL/84gS+WqgPmvTZ3 LmX8Tq4lsl7lVy46efaFxP2yXU4hCriWlfuIf/7/ddgiwdKxiFHBzHzbuWcGdq9Z x2hbFAIMj3850IpkTPLlfYypFmvniLqEEWK38Lb3518m/+Bv40gJFwAimPXgZUK6 6TJqKEchtk71J8KabB2bLCHae0AVj1mOFx3z890pU5gmoQXDEhWZ6gz8wVTzN5zY PVfJJYgeWN/s =oo4+ -----END PGP SIGNATURE-----
reply
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
verified, signed from the @ek who taught me about PGP. 😎 -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEA0IF2zsVA57DXnY67ygEF1PLI20FAmXaJqQACgkQ7ygEF1PL I23F3g/9HGklWN5LvyiF+dtyFtWoSfRJQKVVlTgoF3IAq3CDP8/a7YTF3FhtF8LS 7hH0lDS6nZ1URRGbxckoMeDIdXySkXDWYz+mXzrCpFmMiu73cgdvU1g/XHuCeG9b ugG1mK4VN7HlnzakDc9XBpsaB3dMc2LiFoI/jGqIkdASo5rxccQ1k946weTTUUWq Ygkf0lsRhz0l1bbRVc3eoMp5az0kxKMDY2readQz5gr9UkRmiPc5IQZTlELcQhxK +HiuJ/DhyvFnA0++YIOrgR91SuK/VYgBZUMeySqaddz1K4RH+QvlweWXg4Scqapn 6BtRQPuO81s7juIZt/XjibQD/bsV0r5iOlb10C1BWRT9Btbe3X4s6nm9AaNmUaPL YyoU78+BnQlWUck2I2+djktU6wbod7fCiOCyrrA5vE6UPB/ONLprou7lOXWLsobO lqjaEzIZF5vqBxrpUuoJzHNsMOQ1Ane0oV4s8lXH7q2Zqkl99vfnnCd4/pQqZO72 8ZNtIrs/QAUpLjtyH7lY9fND6QXl97NEMVmhhM5Iz/mLSvYPo/PbLCaBJwZV+ky3 5rIXleM4KqvD/IgsrZNRwe9UMM7tBWylw/QERgW0vwVZvUMUApL5+oaYPSNwGpzl S0XG+eX6lK4HSifEpxLHlLPbSNCtU9srnz6rK2giKYQvD6JBc5c= =IQfZ -----END PGP SIGNATURE-----
reply
But how can I verify that you verified 👀
Maybe I just need to trust you :)