Silk Road forums

Discussion => Security => Topic started by: wannabud on April 05, 2012, 09:19 am

Title: How to verify PGP signature
Post by: wannabud on April 05, 2012, 09:19 am
Hi,

I downloaded the pgp signature (http://www.truecrypt.org/downloads) and try to import it to my client like explained here (http://www.truecrypt.org/docs/?s=digital-signatures), but nothing happens. It's not a text document.

How to verify signatures with this extension (.sig)?
Title: Re: How to verify PGP signature
Post by: mdmamail on April 06, 2012, 02:10 am
Just change the extension to .txt or .asc it's probably just ASCII
Title: Re: How to verify PGP signature
Post by: wannabud on April 06, 2012, 08:29 am
Sorry, I did not understand.

How to change the extension from .tar.gz.sig to asc?
Title: Re: How to verify PGP signature
Post by: Regicide on April 06, 2012, 08:32 am
Open the file in Notepad and Save As... Make sure u have file type *All Files* selected from the drop down, then write the name u want it followed by .asc.

Example:

File Name: file.asc
Save as type: *All Files*
Title: Re: How to verify PGP signature
Post by: Diamond on April 06, 2012, 07:21 pm
Hi,

I downloaded the pgp signature (http://www.truecrypt.org/downloads) and try to import it to my client like explained here (http://www.truecrypt.org/docs/?s=digital-signatures), but nothing happens. It's not a text document.

How to verify signatures with this extension (.sig)?

Your terms seems a bit confused. You don't import a signature file. You import a public key, and use the public key to verify a signature.

http://www.truecrypt.org/docs/?s=digital-signatures

Grab their key here:
http://www.truecrypt.org/downloads2
Title: Re: How to verify PGP signature
Post by: wannabud on April 07, 2012, 02:44 am
Hi,

I downloaded the pgp signature (http://www.truecrypt.org/downloads) and try to import it to my client like explained here (http://www.truecrypt.org/docs/?s=digital-signatures), but nothing happens. It's not a text document.

How to verify signatures with this extension (.sig)?

Your terms seems a bit confused. You don't import a signature file. You import a public key, and use the public key to verify a signature.

http://www.truecrypt.org/docs/?s=digital-signatures

Grab their key here:
http://www.truecrypt.org/downloads2
I downloaded the TrueCrypt-Foundation-Public-Key.asc, imported it and marked as reliable.

I do not understand what to do with the key inside "truecrypt-7.1a-linux-x86l.tar.gz.sig".

Trying to verify it in kgpg, it shows the message: "No signature found. No data 1. No data 2"

Opening it on gedit, I can see this:
\88F\00\00O1\8Df\00
   \E3\BAs\CA\F0ֱ\E0\E1\00\A0\8F\A6e\B0\AA\A0\AEEuH\B9%\C1\85A\84\00\9Fj\99\00\B2\BF~-\D8:\E0\E6L\813\d\F5

And fore sure it's not a pgp signature. My doubt is what to do with the tar.gz.sig file.
Title: Re: How to verify PGP signature
Post by: Diamond on April 07, 2012, 03:19 am
Well, yes it IS a signature. GPG can output encrypted data or signature files in two ways, ASCII or binary. ASCII seems to be the norm, but what you have there is a binary. You'll just see junk if you open it up in a text editor.

Regardless, the way a detached signature works is easy. You have the main file [filename.end] and you have the signature file [filename.end.sig]. To verify, these must be in the same directory.

I've never used Kgpg, but verification is easy to do on the command line. Navigate to the directory with the file/sig and type:

gpg --verify filename.end.sig
Title: Re: How to verify PGP signature
Post by: LucyDiamond on April 07, 2012, 03:22 am
Am I the only one who uses seahorse? I find it to be easy to use and it has a nice looking gui.
Title: Re: How to verify PGP signature
Post by: mdmamail on April 07, 2012, 04:04 am
Are you using Linux? Because the gzipped and tar sig won't work if you're using windows.
I just now tested it by downloading both the sig and main file, and simply double clicked the .tar.gz.sig file on my gnome desktop. It automatically verified without me having to do anything.

I assume you have System->Preferences->Passwords and Encryption Keys installed if not apt-get install seahorse
Title: Re: How to verify PGP signature
Post by: wannabud on April 07, 2012, 07:31 pm
Regardless, the way a detached signature works is easy. You have the main file [filename.end] and you have the signature file [filename.end.sig]. To verify, these must be in the same directory.
If by main file you mean the public keys, they are in the same directory.

I've never used Kgpg, but verification is easy to do on the command line. Navigate to the directory with the file/sig and type:

gpg --verify filename.end.sig
gpg: can't open `truecrypt-7.1a-linux-x86.tar.gz.sig'
gpg: verify signatures failed: file open error
Title: Re: How to verify PGP signature
Post by: wannabud on April 07, 2012, 07:34 pm
Am I the only one who uses seahorse? I find it to be easy to use and it has a nice looking gui.
I used it to create my keys, but it does not encrypt/decrypt messages.
Title: Re: How to verify PGP signature
Post by: wannabud on April 07, 2012, 07:37 pm
Are you using Linux? Because the gzipped and tar sig won't work if you're using windows.
Linux Mint 12.

I just now tested it by downloading both the sig and main file, and simply double clicked the .tar.gz.sig file on my gnome desktop. It automatically verified without me having to do anything.
So, it's not working only for me.

I assume you have System->Preferences->Passwords and Encryption Keys installed if not apt-get install seahorse
Yes, I have.
Title: Re: How to verify PGP signature
Post by: wannabud on April 07, 2012, 07:42 pm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Test signed message
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJPgJc7AAoJECIF8SYpMRlMm+AP/29YNC0MTiLWG/NZuDA8OGba
cOkUxglos1GYRoUNMw4f6I6j1DhNCeSt+VW/4evLsLLUAQvxcu0c1TlJ3HrT9THE
DVpqziWSqJ0Rr8wM+JhNqBPIwXSpEYNZp12xVaDas1amP6oUTTBuUciRHvuIaZq1
B1Yn9pbqSFdbIf/7H6IToIpqqxaW+vZhFT4YpQrK/PzphJPZzpGC2B/KmFG7O20t
ZEwjkk6fhnCNFMQtR5d73fImx/WH+GLZRscQTD5zMAsk+Lnqn/AWoFBqrgRb9M5p
LOI0mPJZ2CJ16o2L6Dqqwd3DrJEkNHZXfJT2QPb4s3Hl/bPliz0vWKtxRCUqgHUk
sJqH0tcB1gHZSSo7cCEODOJq1omEkfKOR1Iq1FYofnxvp5bhrcpJ+mEHaWUB/ZLO
nkNFjoO97bq3kzgwHGsdB5MBmuuaZa0aJdrIii0o7YNH5YOHdWGCjTRwdcOgDo2s
VdCVgAHHJAtGadPWDVDXl679upB2lFywemNk12l0Ws5SzUqSORvh+4MQek9ACMEy
iXs+uH0cG9OcCJP+uibz9anRv8CYy7dl1ew6zDkVqb738MXt32sxjl9QZes7ztV7
esztljqH0HKcjpxM5SIMTcns/5d5TcH1bsgndLq7GFIhu1CnDB7L6OucWKB8eZvj
hL/Qmk8B5HwMFYNEdszs
=I7gR
-----END PGP SIGNATURE-----

If you give me a signed message like this, I know how to verify it easily on kgpg keyboard, as well how to encrypt/decrypt messages, create private/public keys, import/export keys. My trouble is only with .sig files. Don't know what is my mistake yet.
Title: Re: How to verify PGP signature
Post by: mdmamail on April 07, 2012, 09:42 pm
Oops I found the problem.
https://www.truecrypt.org/download/TrueCrypt-Foundation-Public-Key.asc
Import that key

Now try it, it will work.
gpg --verify truecrypt-7.1a-linux-x86.tar.gz.sig truecrypt-7.1a-linux-x86.tar.gz

gpg: Signature made Tue 07 Feb 2012 12:45:26 PM PST using DSA key ID F0D6B1E0
gpg: Good signature from "TrueCrypt Foundation <contact@truecrypt.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C5F4 BAC4 A7B2 2DB8 B8F8  5538 E3BA 73CA F0D6 B1E0

They recommend you sign their key, then check it and won't get the above error.
Some bullshit from their site when you click to download the .sig file:

Note: In the past, many users reported that our public key was invalid, even though it was actually valid. When verifying the signature, if you receive an error message stating that the signing key is invalid, you need to sign our public key with your private key first (then the error message will no longer appear).

In other words, the "Invalid Key" error message does NOT mean that our key is actually invalid (you just need to sign the key, after you add it to your keyring, in order to mark the key as trusted). That's how PGP and GPG work.
Title: Re: How to verify PGP signature
Post by: wannabud on April 07, 2012, 11:07 pm
Thanks MDMAMAIL.

I decided to redownload the files and now finally works. In terminal em kgpg too.

Somebody cited seahorse. I didn't find the way to verify through it, but ok.
Title: Re: How to verify PGP signature
Post by: wannabud on April 07, 2012, 11:12 pm
Forgot to add, due to paranoia I always use LVM or bsd encryption to further encrypt my truecrypt containers.
I'm newbie in this encryption world but I have interest to learn about. I would be grateful to see how to use lvm to further tc.
Can you use bsd encryption on linux?
Title: Re: How to verify PGP signature
Post by: mdmamail on April 08, 2012, 12:46 am
You get the option to encrypt the entire /home /var /swap and other partitions during install on Debian, I assume Mint does the same. Then make further partitions using Disk utility + LUKS in Gnome, store TC containers on it.

https://tails.boum.org/doc/encryption_and_privacy/encrypted_volumes/index.en.html

Do that in mint, then place your TC containers inside all with different passwords of course. Make a regular partition, or like that article use a USB key.  Of course make the TC containers with hidden one's... so if all else fails and you are forced to decrypt you can show them a decoy container with nothing inside.

Assuming mint uses gnome for desktop X I've never used it.

tl;dr:
Encrypt everything during install with LVM, should give you options to do this in the installer.
Use Gnome disk utility + LUKS to create encrypted partitions within the already encrypted disk using that Tails tutorial.
Store your TC containers on there.
Tinfoil hat linux for sure but why not only takes a few extra mins work to setup