Digitally signing contact information with GPG
By signing a file containing your non-confidential contact info (ie. email, social handles, XMR addresses), you are essentially allowing people to verify that the public details haven’t been tampered with and they come from you.
We’re going with a clear text type of signature in this guide.
Fire up a terminal and type in:
nano contact.txt(creates the file and opens it in a text editor)
Enter your contact details that you want to publish on your site. Save and exit the editor.
gpg --clear-sign -o contact-signed.txt contact.txt(signs the file with your main public key)
Enter your key password when prompted.
Note: you can also use a different keypair to sign the file by using the
You should now have a
contact-signed.txt file in the same directory.
cat contact-signed.txt(lists file contents, signed)
This should output something like this, only with your own content:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Email: email@example.com Key Fingerprint: BCE1 5F74 D181 1282 4899 608A FD10 3120 DC7B CC36 Reddit: escapethe3ra Matrix: firstname.lastname@example.org -----BEGIN PGP SIGNATURE----- iQKuBAEBCgCYFiEEvOFfdNGBEoJImWCK/RAxINx7zDYFAmFLogNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEJD RTE1Rjc0RDE4MTEyODI0ODk5NjA4QUZEMTAzMTIwREM3QkNDMzYaHGVzY2FwZXRo ZTNyYUBjdGVtcGxhci5jb20ACgkQ/RAxINx7zDb6Xw//dSR6MRxxjSJO5agmvSSt RGkduH/KXRRfvsWFZh5ETgSUmnCeg2GoXKUPE4ZGCHHk3ZsMsB89F529WOeT8+5H ELG507/WPVh0MFdbLfctCt/IBNyBItbQ4P8UR6l6KLLEu35AkCIRq5E6G/XCwkKK JEXFodCvGHA6SyMOtT2MHnlvmQzvuhFQVys7SMnPmsyZlayXa88M+Q3kKO5mwoMi keT+mqbTEM/x80cxrd81/r2VT/aMM4fpuZSGzY70p7JCypBCDpLgjdFFhGztwiHa SF6h2mMmYn8JInrr5LByunK9PLPXjx0F6f0/ym4Wts/IBDOEA+g5pwWElITVSYWt BXjQL/pTGlKGl3YT5GTlxZgW/9zqaifQquFMWaZ36IZ/e/IWNcVTBbk1OZKhBiHP 7rbvAon3/z53mdUFB7EhDo3yScRvnhqUFvvDxXMw0ck4P7NcBowFFPDbrVDRFUhs //kbQSG1siKVrqJ0U6rOCounjZXfEJbMsMvp4d1ERO92gHrrHcWfbwOrLc3DFK/i cD7i8LsqKH4KWI6FsVddr9XsNmH9BUoI3fLN1a5CQsFJs2nTFPH80zq2Cb8sZMg6 WVb/iPk2PqsbGdvl+nXsBVRefmdNOjFCzDduWUggBocnqqplDbMo3DIdVWcAxDNr SMvCKV9o+/vZ4SbRe3oeo+8= =etlF -----END PGP SIGNATURE-----
Now you can publish the file online. Don’t forget to also include your public key that you used to sign this file. That way people can use it to verify your contact details.
You can exercise by trying to verify my information. This way you can see how the process works for the other party.
If you don’t already have my public key, download it. Then verify the fingerprint and import it.
Note: on Whonix you can replace
scurl for better security.3
wget https://monero.observer/3RA_pubkey.asc(downloads my public key to your machine)
gpg --show-keys 3RA_pubkey.asc(list the key’s fingerprint)
The output should match this fingerprint:
If it doesn’t, don’t import it. Delete and try again or contact me.
gpg --import 3RA_pubkey.asc(imports the key)
Download the file containing my signed contact info:
wget https://monero.observer/contact-signed.txt(downloads my signed contact info to your machine)
gpg --verify contact-signed.txt(verifies if the file contains the original content)
gpg: Signature made Wed 22 Sep 2021 09:37:07 PM UTC gpg: using RSA key BCE15F74D18112824899608AFD103120DC7BCC36 gpg: issuer "email@example.com" gpg: Good signature from "escapethe3RA <firstname.lastname@example.org>" [unknown]
You can ignore this warning:
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: BCE1 5F74 D181 1282 4899 608A FD10 3120 DC7B CC36
The most important part of the output is this:
gpg: Good signature from "escapethe3RA <email@example.com>"
That’s what you want to see.
If you see
BAD signature then the file is probably corrupted, not original, or there was a mistake somewhere in the steps above. You can delete it and try again.
If all went well, you can try and change something inside my
contact-signed.txt file, save it and verify it again. It should fail, even if all you’ve modified is 1 single character.
- signing a file does not automatically encrypt its contents
- this is not the only way to digitally sign4 a file; the manual suggests using detached signatures over cleartext5
gpg --verifydoes not check for any modifications outside of the cleartext signature or the header lines directly following the dash marker line
- GPG usage might not fit your threat model
After getting lots of PGP-related questions, I decided it might be helpful to start making some guides, and see if people find them useful.
There’s also a second guide2 available. Let me know if you want to see more.
Feedback is always welcome!