HPR/hpr-tools
5
0
Fork 1
Code Issues 8 Pull Requests Packages Projects Releases Wiki Activity

Verification of email #4

New Issue
Open
opened 2024-12-27 10:13:09 +00:00 by ken_fallon · 0 comments
ken_fallon commented 2024-12-27 10:13:09 +00:00
Owner
Copy Link

A discussion with @davmo from some time ago (2016 ;-) ). Not sure if we still need this.

Most people will have their key on a public keyserver, so the long-form key id should be enough. This is what we have assumed so far.

In the case before us we don't have this, presumably because storing a key requires an email address.

I loaded the key to my keyring:

$ cat > john.doe.key
... key pasted ...
Ctrl-D

$ gpg --import john.doe.key
gpg: key 1C7398B00F0239E8: public key "john.doe
(http://xxxxxxxxxxxxxxxx.xxxxx/) <john.doe@example.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

So the host has to give us something which is signed with their private key that we can check the signature.

They would have to save the confirmation URL (for example) in a file and sign it.

$ gpg --output doc.sig --detach-sig
<<<"http://hackerpublicradio.org/upload.php?key=c0dfd17190fdfefbbb9f720146f4f9e6676a3e8ff2b3b
gpg: using "1C7398B00F0239E8" as default secret key for signing
File 'doc.sig' exists. Overwrite? (y/N) y

This uses the Bash feature called a "Here String" where '<<<"text"' is a way of sending data on STDIN.

Problem is that the check doesn't work:

$ gpg --verify doc.sig
<<<"http://hackerpublicradio.org/upload.php?key=c0dfd17190fdfefbbb9f720146f4f9e6676a3e8ff2b3b
gpg: no signed data
gpg: can't hash datafile: No data

So, trying again with a file:

$ cat > /tmp/$$
<<<"http://hackerpublicradio.org/upload.php?key=c0dfd17190fdfefbbb9f720146f4f9e6676a3e8ff2b3b

$ gpg --output doc.sig --detach-sig /tmp/$$
gpg: using "1C7398B00F0239E8" as default secret key for signing
File 'doc.sig' exists. Overwrite? (y/N) y

$ gpg --verify doc.sig /tmp/$$
gpg: Signature made Thu 10 Nov 2016 10:59:11 GMT
gpg:                using RSA key 1C7398B00F0239E8
gpg: Good signature from "Dave Morriss <Dave.Morriss@gmail.com>" [ultimate]
gpg:                 aka "David Morriss (privacy-aware email)
<perloid@autistici.org>" [ultimate]
gpg:                 aka "[jpeg image of size 5608]" [ultimate]

So, we'd have to ask the host to do the same and send in the equivalent of my 'doc.sig'. We'd then verify this against a locally-generated file with the URL in it.

A discussion with @davmo from some time ago (2016 ;-) ). Not sure if we still need this. Most people will have their key on a public keyserver, so the long-form key id should be enough. This is what we have assumed so far. In the case before us we don't have this, presumably because storing a key requires an email address. I loaded the key to my keyring: ``` $ cat > john.doe.key ... key pasted ... Ctrl-D $ gpg --import john.doe.key gpg: key 1C7398B00F0239E8: public key "john.doe (http://xxxxxxxxxxxxxxxx.xxxxx/) <john.doe@example.com>" imported gpg: Total number processed: 1 gpg: imported: 1 ``` So the host has to give us something which is signed with their private key that we can check the signature. They would have to save the confirmation URL (for example) in a file and sign it. ``` $ gpg --output doc.sig --detach-sig <<<"http://hackerpublicradio.org/upload.php?key=c0dfd17190fdfefbbb9f720146f4f9e6676a3e8ff2b3b gpg: using "1C7398B00F0239E8" as default secret key for signing File 'doc.sig' exists. Overwrite? (y/N) y ``` This uses the Bash feature called a "Here String" where '<<<"text"' is a way of sending data on STDIN. Problem is that the check doesn't work: ``` $ gpg --verify doc.sig <<<"http://hackerpublicradio.org/upload.php?key=c0dfd17190fdfefbbb9f720146f4f9e6676a3e8ff2b3b gpg: no signed data gpg: can't hash datafile: No data ``` So, trying again with a file: ``` $ cat > /tmp/$$ <<<"http://hackerpublicradio.org/upload.php?key=c0dfd17190fdfefbbb9f720146f4f9e6676a3e8ff2b3b $ gpg --output doc.sig --detach-sig /tmp/$$ gpg: using "1C7398B00F0239E8" as default secret key for signing File 'doc.sig' exists. Overwrite? (y/N) y $ gpg --verify doc.sig /tmp/$$ gpg: Signature made Thu 10 Nov 2016 10:59:11 GMT gpg: using RSA key 1C7398B00F0239E8 gpg: Good signature from "Dave Morriss <Dave.Morriss@gmail.com>" [ultimate] gpg: aka "David Morriss (privacy-aware email) <perloid@autistici.org>" [ultimate] gpg: aka "[jpeg image of size 5608]" [ultimate] ``` So, we'd have to ask the host to do the same and send in the equivalent of my 'doc.sig'. We'd then verify this against a locally-generated file with the URL in it.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: HPR/hpr-tools#4
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?