Signing all pages with GnuPG

So, two posts and already changed them twice. These ~tildzitens are teaching me more stuff that I expected. In a previous version of this post, I was self-publishing my public key (and using pgp.mit.edu for distribution), but now I’ll use a different public key (global, if you will), managed under Keybase.io (thanks dlowe for the invite!)

The general idea is to sign all posted pages in this blog using GnuPG. Not that I doubt my root (if fact I wouldn’t be here if I did), but there’s always a good practice in a shared host to add an extra layer of security. Thus, I’m signing all pages with my GnuPG key, also available on my Keybase account.

All pages get signed at render time, and a .asc file accompanies every HTML and XML feed in this blog. So, let’s say you wish to verify http://hackers.cool/~imt/index.html. First, you’ll have to fetch my GnuPG public key from a known key server:

$ gpg --keyserver pgp.mit.edu --recv-key C5241360
gpg: requesting key C5241360 from hkp server pgp.mit.edu
gpg: key C5241360: public key "keybase.io/imt <imt@keybase.io>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Next, download the page and the corresponding .asc signature file.

$ wget -q http://hackers.cool/~imt/index.html http://hackers.cool/~imt/index.html.asc

Last, but not least, run gpg --verify. Remember, the first argument is the .asc file (GnuPG ASCII signature armor)

$ gpg --verify index.html.asc index.html
gpg: Signature made Mon 08 Dec 2014 18:57:28 UTC using RSA key ID C5241360
gpg: Good signature from "keybase.io/imt <imt@keybase.io>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 185B EA37 4F1D E4BC F3F7  8A36 8A0E 8807 C524 1360

The phrase Good signature from “keybase.io/imt imt@keybase.io indicates the HTML page was not altered since it was signed with my GnuPG key.

In a next episode, how to get rid of the warning message This key is not certified with a trusted signature!.

PS. Here’s my GPG public key:

  -----BEGIN PGP PUBLIC KEY BLOCK-----
  Version: GnuPG v1
  
  mQINBFSF8iYBEADMhCpfvGvlY9yCcVtW9eA3rAb8kePtL5DSSmdjQ3/ooD1g3LQH
  kz0ccJuAs0BIAHSnGtv/Glj/5NoKZGEAAOxO+DP529mN93ogoVoV54s0qExBcdOE
  g5PA5xIUspylQvpuyT6e/IgWKGiwBwwwbKAlUO23YEsG7C0eMXZXfvBFkV9Alviq
  hlTm++Y6RdlOJd4YfXBASJpSTB3LU6R6Rm3YbQWS08W+UTzayDZJv2LxLlRB0vuK
  +S3Et6TzIz5oLSbmAIWCCS7YEd0JEuKGl91YZmeUUvK54lzPKS09MEx2J2nNafms
  6e73fG97OQHnvm5SJUpURbSynPeoF2UgTzEmiT/Iq7EV50h5HsJR/FsHejK+qlt4
  YAEWAKWOhSBDsxotwKZOEbk08Os3NlLcQNIcWMVDbKOIEDBSfLJKAV9ssYZ97tWG
  wZbN3SZ7n4Ab3/05mWVj4GYigod1TvY8htmkBPpwbP/J3jhNb35bkX7amoNURtjq
  EPEJm32UM3Kczmd0V5gQ2/Fd1jB6cnmFKpDyYHBTNOXdcslv8OWD6yyBQmQ8CVDM
  mw2xwb17TKXrVka1VuepOWTs2pzgNZgWtI0JmsTOdkt6nLzDEaBI2dLJYakrRjpD
  L/vIfV9+c/tmUpH6AM5XvcUEWgRmqgYyU+ZKMLTIDqE+MteBJfMWipyUfwARAQAB
  tB9rZXliYXNlLmlvL2ltdCA8aW10QGtleWJhc2UuaW8+iQI+BBMBAgAoBQJUhfIm
  AhsjBQkSzAMABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCKDogHxSQTYEY8
  D/9tUrYHH71HDfVGbu4L4BZlW7h83iiniUvUb7980gniSlWJvkv0m48GBvE8EN/q
  ze9tLC4xhUBY/ihYhlhoEeNmgePJu/x/0mBwSsMMpRunka9DcfkCHFWDDXHrjMcH
  oOBbZCRM20nFb1EpF6J4rEHErW0h8ccBJBu/XBgZIVp8QmGpRaEG1LbjZCcGtKiz
  HxSYK1Mh2yDi4e2UI0JjC3gzAEkTvPWQbYG9+/jYIPVPBKsszDB4PxgRc8vmBay+
  zw1JE4vpGzklnFk/nwWu1FvTAkjgjPX5rXctmeOx+z+6uDtCEhvp8vOyHj2/auiR
  0qIfBBc6A1vhYG/dhXFOvv9Hu25mOtltD2sNuBXlY4JiNJQkF2zvn/fPaMHxfAxb
  ZhTkaWHnpI/Dm8I3GVQrTOlhVcs92NT++DgIhx+7QR5AkPiILa3QtjEMwQ7VZxwI
  WDN5KWdsEo5ts01prEan5kHi8vZfeB5UJ2q8PNDILApTvRSxaUbDTmPrOZ2ydMzm
  8cw9kjth/C0C4PCWbY+HO4VW3pbyQUXr3t0NjVLAhk9i2ODedAEdOL9ZEU9cdRDi
  SNKl9OS/RY2gQ0QZOdG+a6Z/Xf7+Xgzane1wakN//vna/A2uFpGgqY8nI1AGsz8E
  iBG8wLJ45hRg5G+ysTWEidpNn/VDLXzguwbaAGCnvy+RKrkCDQRUhfImARAA7MBK
  Tm1FvQrDJKiWoqCgS6gZa0+WIIWEV4B58ZRTEpKHH2Si6UGwBdgH2cII4Itw4v/z
  Gjk+sQtFlym0dGjusNOYBjkPSMVGXeR9wzZXECLZoplJqUXVgMJKzAobh10fQ9IZ
  0UieZg93YLdk2bQ19DfX39N/s7cob8/rvXMDAohAnlclZwPWpCpTA2j+rRg1hl0P
  i/3rcXZ/z1gK5btiYHPWGOpDJZyN0kZ5pwxea5TYoAZsUxIZSpXmXYBRfAs8bzL4
  yUVJ4mdYwnp6pQ0qPkRne8Pyek5g86rg6v+2Sh6wHWf6LdiOqjZ1osqTQM3omGQz
  rUAC+saERtjcgWjMnU7C0wjgocxOP7/bKyEijC/gVp96RHykoD3fznX35/vMTTo5
  C1zXTSvA4trbRZrxHWWjWtj3fSITH9uWGFWmMv2MPTX+y890AjN+kZmFMek0JreY
  s4x/l4hHo+YQz829YmeekQUneRqaO+isx+ti3++DjhiAtC+89CmnsekN3FnalX9/
  DiJxUFk3SPm3OlQNyMB9rlezw1GRHIaLumsGobj+I/Hb34Ft4E9UKv+MJRoZiAPV
  ATlcIq1W2/hniQZuFsPAEDLTRcTR3JbiN2eupdmfFKSaxmuJ9vWJvswRxAv5PIGK
  qLJ4nC+IIcKTJBleWNaReHbFYd1ur7FeGUrZMskAEQEAAYkCJQQYAQIADwUCVIXy
  JgIbDAUJEswDAAAKCRCKDogHxSQTYOP4EACK8keb+QxY2kxoFm76r22bW2Fty6zV
  mcTNjEZPzxZBgux5QVq8AogsAoRCY2BMxsenIz4/gdw/MfZ33RrG4GlY4yxK9aNt
  KJRmBwytalp2/DJioJcz36v00btH9dmNbhKcYOhoG80V/O4Wb4EvljQbuRsisYFA
  eDlVIWN3lGHXOnQRdRAVAMtowZb9b/sAEu2OR8/UbO0Z5MDCVVUsQkhTbteyk33+
  8EZ/vtrvE9CxqlA0V6PIBYua4+xDjo1xZCARbrh0k3Gy1o5TMGtb80GeA5mYp7w4
  2pTV9HH/EPbKQSzjor2Wh9RdMZI6tQfk4gZY1veeCr4mt6e3fWlCkkWN7MQ31CxK
  ewOLaKvJe4/GctYV2XcC6t4jzUqq9Vv3Qz4Zj7329nRk+pTRjQjuClQGmP4GC4Us
  lDfCiWRSPjxKM1QNWe60UUY+j/A1LfIqCjV+ytN4ZCm5S1msv5pvZGbcsAeShpEg
  XT6nTUdTHRviaTlOJFnIy2Fw9Sjti24loDRmTciV9bFbEp6ZW3PGDw34tQSB3lWE
  N/Ne6dPqhfqbopq0s4CYO6q28oXHAyVIIYQKya2NCvAr4/uHgE1vo6Tgpre741dm
  5E9WstaqW/nUP1ynFrTvNkHs1i1KwMCKd0s6YjuOQ41YeR6zgKB1Ta81QuC8xvA1
  DKXYWg1k4jhhMQ==
  =M5fh
  -----END PGP PUBLIC KEY BLOCK-----