Information on my PGP public key¶
Avertissement
I no longer use my PGP key, but these informations might still be useful.
What is this about?¶
I could not explain better than our dear Wikipedia friend: GPG on Wikipedia. Another good reference is this wikibook on GPG.
I suggest you go read these, to learn more on GPG or to refresh your ideas on the subject, before reading more this page.
Where and when do I use it?¶
Sign to ensure the origin of a file¶
I tried to take the habit of signing the important files (binaries, PDF etc) that can be downloaded on this website (and the other websites I use).
This allow any one to be sure that she/he downloaded the correct file: my signing key is private, so I should (hopefully) be the only one able to produce these digital signatures.
Most of the addresses (URLs
) of files I give on these web-pages can be appended with
a short .asc
at the end of the address to download the signature:
for instance, cv.en.pdf and cv.en.pdf.asc, or for this page:
pgp.en.html has its signature in this file pgp.en.html.asc.
More examples¶
For instance, my Bash profile file, .bashrc, has a signature .bashrc.asc.
With the sphinx-doc extension sphinx.ext.runblock
, it is possible to
include here in this web-page the command that was used to generate this digital signature (and its output):
$ LANG=en gpg --detach-sign --armor --quiet -o - /home/lilian/.bashrc -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE/DSleRq5aEZtX0W7LaPXUOHniXEFAmXbk9UACgkQLaPXUOHn iXFLbg//cEAiQO7oJCwr1bpk/tRCQcyNgBH+1VW2xHmVLjBHq3fCCAwaJ/6U4mR9 MsgYQB/AG2al7fdpch9jBPG0WBSpDH3YroN2aaD0hh/SUkoiRKTukAr7odnXEI/R sPBTJGziObnN4b+R2HwSCnOcoybfNXyLcz3vAr408pWa3XBI3Izr21CBb84ONIJc ExG/cQoENZXkXCfl3A/Hcquwbc3eF0jIt8xJnMkq12wCERzcgJX/J09gC/rF63bN ktHJ36HwZTL2m8N8L2eLfTnvyYFaPT2t5b7D6LpXGhRfAxifJ3kwtsF1thyzgw/O dAQ+R6Puv9/dela3kAZVuBr0d0LRmsZXzuNC/tvFFY+IRA2fBViX2ZME+NN3y2eJ K8X2AoejuZ2WqQNwyMbJDja6ffvl0cE0aUOSNsYAp7SzOoOzqfTPDVItn6B6E85F 4ZB+ETf33KyCV+QepmmgcARBqLwLnwcYH53Sj1WbxKGD8cmu67YkPjSZGA/3wldZ QTiH1Whcks9XO48LvbyN7miHyMpd2ESD+EHPEG5lb8SEJeExZ7O2j+x+lrwWS8M2 gOo3TN9l1HKEpDhs4yCx1MlHqN+Uw+ZZ9jyvqrgZGzo33iybGagZD1KIN8pviEH5 UpoOJiUwuCtWyK8e3wWVQW1goJEcxAi8Wb2UIBkKRgNceyfdnU8= =mF6L -----END PGP SIGNATURE-----
How to use these .asc files?¶
It is possible to check these signatures, with my public key. And that’s the main purpose of the .asc files!
First, you have to import my public key in your list of trusted keys (trust-ring).
In this case, my public key is in this file Lilian_Besson.asc, and you need:
to download it, as explained in the next paragraph;
and then check its MD5 and SHA256 checksums, to be sure you downloaded the good file! Simply compare the output of the
md5sum
andsha256sum
commands to the one bellow.From my trust ring:
$ LANG=en GPGKEY=`gpg.sh` gpg --export --armor $GPGKEY | md5sum $ LANG=en GPGKEY=`gpg.sh` gpg --export --armor $GPGKEY | sha256sum bash: ligne 1: gpg.sh : commande introuvable gpg: WARNING: nothing exported bash: ligne 2: gpg.sh : commande introuvable gpg: WARNING: nothing exportedAnd from the file you downloaded Lilian_Besson.asc :
$ # Use ./Lilian_Besson.asc to check the file in the current directory $ md5sum ~/Lilian_Besson.asc $ sha256sum ~/Lilian_Besson.asc 82ff907cec5b79cee2adc09cd6dfde67 /home/lilian/Lilian_Besson.asc 8147d961a1de1f2dbc25299e50d0b0aaa074a9484bde7d2ddcb8dd084f387132 /home/lilian/Lilian_Besson.ascThis step is simply here to check that you downloaded the good public key (the .asc file is its armor-art, ie. an ASCII representation of its content).
Then you have to import it in your trust ring (locally on your machine) :
gpg --import Lilian_Besson.asc
And now, you can check the signature file.asc of any file file, with this simple command:
gpg --verify file.asc file
Example (2)¶
And so for the .bashrc file, if you downloaded it and its signature, you just have to do:
gpg --verify .bashrc.asc .bashrc
Then, hopefully, if you downloaded the files, and have imported my public key, it should give you a message like this one:
$ LANG=en gpg --verify ~/.bashrc.asc ~/.bashrc
gpg: Signature made Sun Feb 21 23:28:38 2021 CET
gpg: using RSA key FC34A5791AB968466D5F45BB2DA3D750E1E78971
gpg: BAD signature from "Lilian Besson (@Naereen) <lilian@besson.link>" [ultimate]
It should work just fine!
My public key¶
The public footprint of my key is C108F8A0.
One simpler way of importing my key is to simply look for it directly! From one of these two servers:
keyserver.ubuntu.com
;
pgp.mit.edu
.
A quick look-up on these PGP key server gives: