Total newb question: verifying signatures? - PGP

This is a discussion on Total newb question: verifying signatures? - PGP ; So, I understand the principle behind people "signing" their messages, but how do you verify them? Do you look up their key somehow? Just getting started in all this so forgive the newb type question. Zach...

+ Reply to Thread
Results 1 to 10 of 10

Thread: Total newb question: verifying signatures?

  1. Total newb question: verifying signatures?

    So, I understand the principle behind people "signing" their messages,
    but how do you verify them? Do you look up their key somehow?

    Just getting started in all this so forgive the newb type question.

    Zach

  2. Re: Total newb question: verifying signatures?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Zach Wells wrote:
    > So, I understand the principle behind people "signing" their
    > messages, but how do you verify them? Do you look up their key
    > somehow?
    >
    > Just getting started in all this so forgive the newb type question.
    >
    >
    > Zach


    Just open the message, then click on your PGP icon, select current
    window, then select decrypt and verify. Thats it!

    Martin

    -----BEGIN PGP SIGNATURE-----
    Version: 6.5.8ckt ftp://ftp.zedz.net/pub/crypto/pgp/pgp60/pgp658_ckt/
    Comment: KeyID: 0x581E4CE1

    iQA/AwUBQJ5iFnELag5YHkzhEQIzVgCfbswG/QH0dEcaMVYtgXPtNynOXIkAoKdy
    SlZGFdjmBTTUp6fFqwmsCxie
    =+2bo
    -----END PGP SIGNATURE-----

  3. Re: Total newb question: verifying signatures?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Martin wrote in
    news:409e621e$0$20513$cc9e4d1f@news-text.dial.pipex.com:

    > Just open the message, then click on your PGP icon, select current
    > window, then select decrypt and verify. Thats it!


    Of course, you need to have the public key of the signer. So, you may
    want to set PGP Preferences/Options - Servers tab for Verification; then
    any time you attempt to verify a PGP signed message for which you do not
    have the necessary public key, PGP will automatically connect to a server
    and begin searching for it. If the key is on the server, that will find
    it, but it does not establish who that key actually belongs to.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.3
    Comment: My PGP Page & FAQ: http://www.McCune.cc/PGP.htm

    iQEVAwUBQJ5qhmDeI9apM77TAQJihwf+JFHAvzGVlYUUnyzlYd imPYmxcPx4KxpM
    0b6MYOFLPAWaLHSPNEM1nCRjy5pVAc/5GHxeD35c+ldm5dYWeuNOpqEafnDFUpiM
    89wiXbkbDuHsmKbajEfFg/S9F68gZYp2349UAsyI6p4ayODLfBGRuv/UsvAbCtB1
    jyRamy0rbJ6e7zfnqpm2KVtLGDfOpnKbUIK9sNzATpWXVz8FWQ 2XAsKKdtWwi1yi
    meKkCEXxhiKepsqPqfP1KalOXoP56oo1aQMtlqxL+yh9oHEAmU C0M+etHAApc9P8
    OwCze/n7FyyVWAkhAxizSNWTJJn86k2WsjpgeslaghR44iLTyMGwzw==
    =uGlR
    -----END PGP SIGNATURE-----

  4. Re: Total newb question: verifying signatures?

    Thanks for the responses guys, although it prompts another question.
    When I try to verify your signatures, I get the following:

    *** PGP SIGNATURE VERIFICATION ***
    *** Status: Bad Signature from Invalid Key
    *** Alert: Signature did not verify. Message has been altered.
    *** Alert: Please verify signer's key before trusting signature.
    *** Signer: Martin Sayers (0x581E4CE1)
    *** Signed: 5/9/2004 12:53:42 PM
    *** Verified: 5/9/2004 8:32:54 PM
    *** BEGIN PGP VERIFIED MESSAGE ***

    I get that error on both Martin and Tom's keys. What am I doing wrong? I
    did another random person's signature and it verified fine so I'm not
    sure what I'm doing wrong since I did the exact same thing in all cases.

    Zach


    Tom McCune wrote:

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Martin wrote in
    > news:409e621e$0$20513$cc9e4d1f@news-text.dial.pipex.com:
    >
    >
    >>Just open the message, then click on your PGP icon, select current
    >>window, then select decrypt and verify. Thats it!

    >
    >
    > Of course, you need to have the public key of the signer. So, you may
    > want to set PGP Preferences/Options - Servers tab for Verification; then
    > any time you attempt to verify a PGP signed message for which you do not
    > have the necessary public key, PGP will automatically connect to a server
    > and begin searching for it. If the key is on the server, that will find
    > it, but it does not establish who that key actually belongs to.
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: PGP 8.0.3
    > Comment: My PGP Page & FAQ: http://www.McCune.cc/PGP.htm
    >
    > iQEVAwUBQJ5qhmDeI9apM77TAQJihwf+JFHAvzGVlYUUnyzlYd imPYmxcPx4KxpM
    > 0b6MYOFLPAWaLHSPNEM1nCRjy5pVAc/5GHxeD35c+ldm5dYWeuNOpqEafnDFUpiM
    > 89wiXbkbDuHsmKbajEfFg/S9F68gZYp2349UAsyI6p4ayODLfBGRuv/UsvAbCtB1
    > jyRamy0rbJ6e7zfnqpm2KVtLGDfOpnKbUIK9sNzATpWXVz8FWQ 2XAsKKdtWwi1yi
    > meKkCEXxhiKepsqPqfP1KalOXoP56oo1aQMtlqxL+yh9oHEAmU C0M+etHAApc9P8
    > OwCze/n7FyyVWAkhAxizSNWTJJn86k2WsjpgeslaghR44iLTyMGwzw==
    > =uGlR
    > -----END PGP SIGNATURE-----


  5. Re: Total newb question: verifying signatures?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Zach Wells wrote in
    news:2g8130F5cveiU1@uni-berlin.de:

    > Thanks for the responses guys, although it prompts another question.
    > When I try to verify your signatures, I get the following:
    >
    > *** PGP SIGNATURE VERIFICATION ***
    > *** Status: Bad Signature from Invalid Key
    > *** Alert: Signature did not verify. Message has been altered.
    > *** Alert: Please verify signer's key before trusting signature.
    > *** Signer: Martin Sayers (0x581E4CE1)
    > *** Signed: 5/9/2004 12:53:42 PM
    > *** Verified: 5/9/2004 8:32:54 PM
    > *** BEGIN PGP VERIFIED MESSAGE ***
    >
    > I get that error on both Martin and Tom's keys. What am I doing wrong?
    > I did another random person's signature and it verified fine so I'm
    > not sure what I'm doing wrong since I did the exact same thing in all
    > cases.


    I got valid sigs on both Martin's and my post, so the problem does appear
    to be on your end. I see you are using Mozilla Thunderbird, and am aware
    of others reporting it producing such problems, so that may just be it.
    I can only suggest that you make sure your window is maximized; and if
    you can set your reader window line wrap, try increasing its size.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.3
    Comment: My PGP Page & FAQ: http://www.McCune.cc/PGP.htm

    iQEVAwUBQJ7ZR2DeI9apM77TAQKC5wf/bytXmIJ4bNCr5kGZi9ErvJZK3GCGp+mQ
    kZ1Eebr02U4mKkVEC/WPJDjuSHmLlcqHwMIXr2XRbyVn4yVhXPp+sJwfCnzGnzD7
    avnQJWSBepakDmfEu5Rzio8tiMXl2piJo2tpaO1el+KSEyATjX Ev9UUxOHRGp7cP
    KjL4DGN6WaS9iyEJy0aOPviS15XSi4L1FKgkSKCgohXFOrgf0w AuGdlqd4GTzdre
    9+OtMH/hxt/aCrnDFymlGW7zwaBUFPyzlw3FCdnBvs9jVBJ//ycsN+oNAhEYRDbv
    lZYKsHGD1ffXRoe/iEqRq4K264y58R603hb/1DFjLnCK49zjf1OAOA==
    =2Hmo
    -----END PGP SIGNATURE-----

  6. Re: Total newb question: verifying signatures?



    Tom McCune wrote:

    > Zach Wells wrote in
    > news:2g8130F5cveiU1@uni-berlin.de:
    >
    >
    > I got valid sigs on both Martin's and my post, so the problem does appear
    > to be on your end. I see you are using Mozilla Thunderbird, and am aware
    > of others reporting it producing such problems, so that may just be it.
    > I can only suggest that you make sure your window is maximized; and if
    > you can set your reader window line wrap, try increasing its size.
    >


    Ok, after some digging and a conversion from PGP 8.X to GPP 1.2.4 I seem
    to have it working. However, I have yet another question.

    An "untrusted" but "verified" key simply means that the signature that
    was posted is valid, meaning it is registered. But, it really doesn't
    ensure that you, the person you say you are, are really the valid owner
    of that key, right? Couldn't anyone simply troll a NG and copy/paste
    your signature and post as you?

    Another question, is your signature the equivalent of your public key?
    In other words, could I use your signature to encrypt a message and send
    it to you so you could decrypt?

    Again, sorry for all the newb questions but there is a lot of info to
    absorb and I'm only on my first day of research.

    Zach

  7. Re: Total newb question: verifying signatures?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Zach Wells writes:

    >An "untrusted" but "verified" key simply means that the signature that
    >was posted is valid, meaning it is registered. But, it really doesn't
    >ensure that you, the person you say you are, are really the valid owner
    >of that key, right?


    That's about right. You have to decide key ownership some other
    way. Read about the PGP web of trust in the documentation.

    > Couldn't anyone simply troll a NG and copy/paste
    >your signature and post as you?


    No. A signature is only valid for the document that was signed.

    >Another question, is your signature the equivalent of your public key?


    No.

    >In other words, could I use your signature to encrypt a message and send
    >it to you so you could decrypt?


    No, you couldn't.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (SunOS)

    iD8DBQFAnvj6vmGe70vHPUMRAtApAJ0aSJsq8YzpKxbFM91D3l 0+cImjVgCeNw0Q
    o8nE8uVGPXoqAXR2PLyHicA=
    =3hNx
    -----END PGP SIGNATURE-----


  8. Re: Total newb question: verifying signatures?

    Zach Wells wrote in news:2g8ak6F5bijlU1
    @uni-berlin.de:

    > Ok, after some digging and a conversion from PGP 8.X to GPP 1.2.4 I

    seem
    > to have it working. However, I have yet another question.
    >
    > An "untrusted" but "verified" key simply means that the signature that
    > was posted is valid, meaning it is registered. But, it really doesn't
    > ensure that you, the person you say you are, are really the valid owner
    > of that key, right? Couldn't anyone simply troll a NG and copy/paste
    > your signature and post as you?
    >
    > Another question, is your signature the equivalent of your public key?
    > In other words, could I use your signature to encrypt a message and

    send
    > it to you so you could decrypt?
    >
    > Again, sorry for all the newb questions but there is a lot of info to
    > absorb and I'm only on my first day of research.


    These FAQ sections should cover your questions:
    http://www.mccune.cc/PGPpage2.htm#Privacy&Authenticity
    http://www.mccune.cc/PGPpage2.htm#Bad-Invalid

    --
    Tom McCune
    My PGP Page & FAQ: http://www.McCune.cc/PGP.htm

  9. Re: Total newb question: verifying signatures?

    Tom McCune wrote:
    >
    > These FAQ sections should cover your questions:
    > http://www.mccune.cc/PGPpage2.htm#Privacy&Authenticity
    > http://www.mccune.cc/PGPpage2.htm#Bad-Invalid
    >


    Perfect, thanks. I had actually read through your faq a couple times but
    with so much information I evidently didn't absorb those particular
    topics.

    Zach

  10. Re: Total newb question: verifying signatures?

    Neil W Rickert wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Zach Wells writes:
    >
    >
    >>An "untrusted" but "verified" key simply means that the signature that
    >>was posted is valid, meaning it is registered. But, it really doesn't
    >>ensure that you, the person you say you are, are really the valid owner
    >>of that key, right?

    >
    >
    > That's about right. You have to decide key ownership some other
    > way. Read about the PGP web of trust in the documentation.
    >
    >
    >> Couldn't anyone simply troll a NG and copy/paste
    >>your signature and post as you?

    >
    >
    > No. A signature is only valid for the document that was signed.
    >


    Excellent, makes sense. Thanks.

    Zach

+ Reply to Thread