reply on: The Curious Case of Digital Signatures \ stacker news ~crypto

pull down to refresh

359 sats \ 24 replies \ @ek OP 24 Feb 2024 \ parent \ on: The Curious Case of Digital Signatures crypto

~~Yes~~

~~You just summarized my post with a few words haha~~

Wait, no. The dev signs the software (or whatever). The signature IS the hash "encrypted" with the private key.

0 sats \ 23 replies \ @Natalia 24 Feb 2024

deleted by author

2222 sats \ 22 replies \ @ek OP 24 Feb 2024 freebie

deleted by author

492 sats \ 6 replies \ @Natalia 24 Feb 2024

madness 😂

so if abcd.dmg.asc with abcd.dmg - no need. but abcdfrfsve.dmg.asc with abcd.dmg - need.

did you use a new key to sign that?

0 sats \ 0 replies \ @ek OP 24 Feb 2024 freebie

did you use a new key to sign that?

No, I just used gpg --clearsign. I just hoped it would pick the right key haha.

Due to the markdown formatting, it might get tricky, but you should be able to use go to #437477/edit to see the raw formatting.

edit: Oh no, it picked a wrong GPG secret key 🙈

Will post new message with my ekzyis@ekzyis.com GPG key

666 sats \ 4 replies \ @ek OP 24 Feb 2024 freebie

deleted by author

0 sats \ 0 replies \ @ek OP 24 Feb 2024

used wrong GPG key above, lol

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

I, @ek, author of The Curious Case of Digital Signatures, a post that received 20k+ sats on SN, the first of his nym, hereby vouch for the GPG skills of @Natalia, the first of her nym (on SN at least), a stacker with multiple good posts on SN (see profile), one even in the all-time top posts (at the time of writing this).

May the force of verifying digital signatures be with her forever.

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEER3BdefVXE2Q1VvSZ7Ow39o+3M5gFAmXaJRUSHGVrenlpc0Bl a3p5aXMuY29tAAoJEOzsN/aPtzOYGB8QAL2x1Cnrv4K9U/FcbmbFt/2XNEHNGcus PYgMI7JFmUlGQlMkVetQhtPyeaWsbwdAN3yzljTpNEA6nTykkfsY+V6QrJD59J62 Lg1c5ENr7kkjE5dZLPGzsHpzi5KA6nUUjWKhBLOQavnPkSeo28zy4wa9kRYvmm21 qNCA81Eo5CZKR4T9JMJU6ShvGgZRC+UnfSJXIoYVwnvqQ8DJ/8OIxuEk/vd6cQYw rgLEiVCWwccE0zdJSzgktHPFxoB84ZG4q5gJXeD81l/BwGMyY3N9j9dOjhDtmzEy HjUO6P+ltktzRYNUzanzXKEZAGbugcbO+Nv3DrCzBcNp360hmeHR5WXHyo9W6knW uOp6qyeUoHzEDPTvIaZfJCopZ0kWl3w3RK19R172EEuG/V51TZ4GIzGG6QDNGQM5 SMbZGEIdobdcAY8zk1I8eC2uUrYOORuXFWZANQrU+rS9+BwstbFRDBcX9v7bFp+Y Gf2xzTpPjj2KIWi3hXDhZ/9VfseIWxNBu/hir4c38GUDzHDmSIVKtTBu4+OGDmYw J/okXZPF1qz6tHy47vPmHdHcGo7fhENL8iFvW0x7m3b3Ce8m2NviE4YPl8DC1igw 5aJrsFk3F2e81j8b8SaDGYeSwjuMXNryNccrJfITih0sZMXokIzAVr1LfCaRfgLp BcYN2WurK4qy =8itW -----END PGP SIGNATURE-----

0 sats \ 0 replies \ @Natalia 24 Feb 2024

let me do more practice to verify this newly learned skills 🥁

1568 sats \ 1 reply \ @Natalia 24 Feb 2024

deleted by author

946 sats \ 0 replies \ @ek OP 24 Feb 2024

You don't want to know how much I am learning myself haha

0 sats \ 14 replies \ @ek OP 24 Feb 2024

used wrong GPG secret key above, lol

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

I still don't get the part when you need to do the checksum or not? 👀

No worries! This means I didn't explain well enough (among other things) 👀

You need to do the checksum stuff when the name of the signature file without .asc at the end is not the same as the software you downloaded.

Examples:

Electrum: Signature is named electrum-4.5.3.dmg.asc and software is named electrum-4.5.3.dmg. This means the software was signed.
Sparrow: Signature is named sparrow-1.8.2-manifest.txt.asc and software is named Sparrow-1.8.2-x86_64.dmg. This means that the software was not signed but Sparrow-1.8.2-manifest.txt.

So it depends on what was signed. You can sign anything. Like I just signed this message. Try to verify the signature :)

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEER3BdefVXE2Q1VvSZ7Ow39o+3M5gFAmXaJGUSHGVrenlpc0Bl a3p5aXMuY29tAAoJEOzsN/aPtzOYTCIP/1pMj/AJGDa3BKXDbB7Uc5lZ5agsPlTw 0p+eP9zIFUdcFNNTF5UZRi/QJn2deD/9fkSG/cBcTE0wH7cK0HRNl+fQ3balNOta ublTjOnbEEp+2LcAoxfbjvvywjxW9QL7N9JLJ5yOfrLUpWS0w8OM6u5Z+gPBsYGG NaJyigh7cSAx/uAgNMFKA+aidGaqG+oBGtK2xxqdj2T0kukydc2l2sl40/sotRB/ Q+4xmOrg0o+dXXAiorlgFaX8o+bPKk1O4bnDFClQW+m3/PajWEJaOGS50KD2kbmi GweFZSooAgkzH4t5WRoTLtzdAqu5oM5idRkklNCJaXSpCYLFrgp6mTLiIOwqG6fd JOSIZQv4h12G210fhNu3k0xr9Y4fXrYM5bH+uH3JUeUATXMIZbx4mN5iIlMLA68r r+9yT43UgHcUFqRxg8SxCPY0CcIAm+djdfvcv3eY1I8HsxEaL/84gS+WqgPmvTZ3 LmX8Tq4lsl7lVy46efaFxP2yXU4hCriWlfuIf/7/ddgiwdKxiFHBzHzbuWcGdq9Z x2hbFAIMj3850IpkTPLlfYypFmvniLqEEWK38Lb3518m/+Bv40gJFwAimPXgZUK6 6TJqKEchtk71J8KabB2bLCHae0AVj1mOFx3z890pU5gmoQXDEhWZ6gz8wVTzN5zY PVfJJYgeWN/s =oo4+ -----END PGP SIGNATURE-----

473 sats \ 13 replies \ @Natalia 24 Feb 2024

deleted by author

0 sats \ 12 replies \ @ek OP 24 Feb 2024

But how can I verify that you verified 👀

Maybe I just need to trust you :)

473 sats \ 11 replies \ @Natalia 24 Feb 2024 freebie

updated 👀 this is so much fun!

0 sats \ 10 replies \ @ek OP 24 Feb 2024 freebie

this is so much fun!

Oh yeah? Then verify this haha:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

verified, signed from the @ek who taught me about PGP. 😎
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEA0IF2zsVA57DXnY67ygEF1PLI20FAmXaJqQACgkQ7ygEF1PL
I23F3g/9HGklWN5LvyiF+dtyFtWoSfRJQKVVlTgoF3IAq3CDP8/a7YTF3FhtF8LS
7hH0lDS6nZ1URRGbxckoMeDIdXySkXDWYz+mXzrCpFmMiu73cgdvU1g/XHuCeG9b
ugG1mK4VN7HlnzakDc9XBpsaB3dMc2LiFoI/jGqIkdASo5rxccQ1k946weTTUUWq
Ygkf0lsRhz0l1bbRVc3eoMp5az0kxKMDY2readQz5gr9UkRmiPc5IQZTlELcQhxK
+HiuJ/DhyvFnA0++YIOrgR91SuK/VYgBZUMeySqaddz1K4RH+QvlweWXg4Scqapn
6BtRQPuO81s7juIZt/XjibQD/bsV0r5iOlb10C1BWRT9Btbe3X4s6nm9AaNmUaPL
YyoU78+BnQlWUck2I2+djktU6wbod7fCiOCyrrA5vE6UPB/ONLprou7lOXWLsobO
lqjaEzIZF5vqBxrpUuoJzHNsMOQ1Ane0oV4s8lXH7q2Zqkl99vfnnCd4/pQqZO72
8ZNtIrs/QAUpLjtyH7lY9fND6QXl97NEMVmhhM5Iz/mLSvYPo/PbLCaBJwZV+ky3
5rIXleM4KqvD/IgsrZNRwe9UMM7tBWylw/QERgW0vwVZvUMUApL5+oaYPSNwGpzl
S0XG+eX6lK4HSifEpxLHlLPbSNCtU9srnz6rK2giKYQvD6JBc5c=
=IQfZ
- -----END PGP SIGNATURE-----

gpg: Signature made Sat 24 Feb 2024 06:25:56 PM CET
gpg:                using RSA key 034205DB3B15039EC35E763AEF28041753CB236D
gpg: Good signature from "Natalia <Natalia@geoarbitrage.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0342 05DB 3B15 039E C35E  763A EF28 0417 53CB 236D

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEER3BdefVXE2Q1VvSZ7Ow39o+3M5gFAmXaKHASHGVrenlpc0Bl
a3p5aXMuY29tAAoJEOzsN/aPtzOYw9AQAJJOUccgJGAAyGtWNrH188nh+9JyDF4X
0ltbOxGSi7uX/4IFHc64Ja4vdN6h/Lfi/2mx/GgMSMm9JFVbmOB8wRaY5uJyMBcd
NzmJ4rSOLshUhWep6tZDMY+uIQ1k0dcYRD/Ka02GZLyaT65r2mcLj247jYlgcQwc
8KSemqsMr24n97jnb4BHTCtD1VhWe9bICeFhjH6utM9i5bGb2ZcSnrr675DaK5Vm
NTM7AXhmAUm7lpy4/pLz5aN8ZMz5KeRGbwAXuV7vKN89xxC6FBQ9kzjZPgF2rczI
6pobV3htgP9Cw6eaGp7UuSkJWaGkbvawNpAg7WeBjL/SROOTPUDCQaDYICXWbayL
P5XBWuJFBG+HFl+KfA3501+0LMywS6Eijkfr4k4fWLg3C8vXRxQlCkCA/tRtC1kc
sJWq63ZQ5kpin0qp5suHfHWzV986ylRt/2Lbu1BjHZ0aEJDmJty8pr5Sl1h4TNjg
ac8g5siibrzqFWLY9P3r60Fp1+ImcW6JEjOeZ+qrTnEhDqAPBA9AaY7WHl8iXuMJ
EcgOX5UEyP+c2WLqb9qNOubSirdsvpIgJ/awU2A7S2CejOqOVoWIjo1ukfFpuch0
1zC6LTXC2vi+1eJWsFMI8O/0zAFWt8dLk+qyZIL9F3/WEt/P+gVUzGlU/Z0fwNwv
emZ9Knb6c9g9
=41ds
-----END PGP SIGNATURE-----

Now I also understand why GPG replaces "-" with "- ". Seems like it wants to prevent confusion with its own markers like

-----BEGIN PGP SIGNATURE-----

Interesting 👀