-
Notifications
You must be signed in to change notification settings - Fork 10
GPG_Verify
FIMKrypto edited this page Jun 29, 2014
·
3 revisions
FIMK releases are announced on the FIMKrypto forum and are made tamper proof by wrapping the release text, version, download location and SHA256 hash of the downloadable file in a GPG 'clearsign' message.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello this is a test
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBAgAGBQJTrzVVAAoJEP9gzPcARnvnAT8IALQ5ju9Ckk63CtX9xzBs0owh
phlIMsVHC0g5aKH/YFln8w73dSyt8WfqNBP1PlVHt5eZwd3KZudg34Dtf8jjwy5A
4xBgN9fRo4pXlN3pGadfZpOhbUQy0bI6ISNijaSnqRHBldyKMod4tGQyL2hyeEDV
jcsPO12+4ysgGCG0XmznHPMra7Hs7S2Zjyf36rOgRapfoISkwYB7Zf8aqp3JumtV
4yKbUPGeOtut2cQW8d47z1FuGk6fmloEDG/544OSq6uGBDb9z+c2o7uM6464SwwT
CKfI5LXeKO/SkVRS9yS0+PhJsNzQ23k9wJAkVYzGC+gSiZSqxQO0NEpOnBUCVNs=
=3pE8
-----END PGP SIGNATURE-----
Please follow these steps if you wish to verify the announcements authenticity.
1. Install GPG (please ask google how to do that)
2. Look up the public key ID on one of the Public Key Servers (you could for instance use http://pgp.mit.edu/ and search for fimkrypto@gmail.com). A public key ID looks like this: '00467BE7'.
3. Import the public key
$ gpg --recv-keys PUBLIC-KEY-ID
4. Now you can verify the release announcement was not tampered with by running
$ gpg --verify RELEASE-ANNOUNCEMENT-TEXT-AS-FILE.txt