Created
November 24, 2016 07:44
-
-
Save grempe/328907f01a03346a519e8ada92904ec1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# VERIFYING A SIGNATURE CREATED BY THIS TOOL | |
# http://truetimestamp.org/ | |
# | |
# Bad Output in signature verification | |
# | |
# ... | |
# gpg: DBG: tofu.c:2772: strtoul failed for DB returned string (tail=): Invalid argument | |
# ... | |
# | |
# VERSION | |
######### | |
$ gpg2 --version | |
gpg (GnuPG) 2.1.16 | |
libgcrypt 1.7.3 | |
Copyright (C) 2016 Free Software Foundation, Inc. | |
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> | |
This is free software: you are free to change and redistribute it. | |
There is NO WARRANTY, to the extent permitted by law. | |
Home: /Users/me/.gnupg | |
Supported algorithms: | |
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA | |
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, | |
CAMELLIA128, CAMELLIA192, CAMELLIA256 | |
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 | |
Compression: Uncompressed, ZIP, ZLIB, BZIP2 | |
# IMPORT PUB KEY | |
################ | |
$ gpg2 --recv-keys 0x83289060F40DED088CF246B56F3B2E6AB748A8F8 | |
gpg: key 0x6F3B2E6AB748A8F8: public key "TrueTimeStamp <signing-department@TrueTimeStamp.org>" imported | |
gpg: Total number processed: 1 | |
gpg: imported: 1 | |
# TRY TO VERIFY FILE SIGNATURE | |
############################## | |
$ gpg2 --verify TrueTimeStamp-certificate-4793.txt | |
gpg: Signature made Wed Nov 23 23:08:29 2016 PST | |
gpg: using DSA key 0x6F3B2E6AB748A8F8 | |
gpg: Good signature from "TrueTimeStamp <signing-department@TrueTimeStamp.org>" [marginal] | |
gpg: DBG: tofu.c:2772: strtoul failed for DB returned string (tail=): Invalid argument | |
gpg: DBG: tofu.c:2774: strtoul failed for DB returned string (tail=): Invalid argument | |
gpg: signing-department@truetimestamp.org: Verified 1 signature in the past | |
0 seconds, and encrypted 0 messages. | |
gpg: Warning: we've only seen one message signed using this key and user id! | |
gpg: Warning: you have yet to encrypt a message to this key! | |
gpg: Warning: if you think you've seen more signatures by this key and user | |
id, then this key might be a forgery! Carefully examine the email address | |
for small variations. If the key is suspect, then use | |
gpg --tofu-policy bad 83289060F40DED088CF246B56F3B2E6AB748A8F8 | |
to mark it as being bad. | |
gpg: WARNING: This key is not certified with sufficiently trusted signatures! | |
gpg: It is not certain that the signature belongs to the owner. | |
Primary key fingerprint: 8328 9060 F40D ED08 8CF2 46B5 6F3B 2E6A B748 A8F8 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-----BEGIN PGP SIGNED MESSAGE----- | |
Hash: SHA256 | |
============================================================================ | |
Certificate | |
============================================================================ | |
In conjunction with the file(s) that produce the following SHA-2 fingerprint, | |
and in conjunction with the verification procedures available on | |
TrueTimeStamp.org (copy available below), this certifies that the following | |
file existed and was time-stamped on: | |
Time: November 24, 2016 7:08:29 am GMT | |
Stored SHA-2 Fingerprint: | |
25a43d0e7325097a0fa7e358cca2da04c285ea7367089eb8497d7daaab1fb1c1 | |
Certificate Type: submitted-hash | |
Constituent Files:None Provided. | |
============================================================================ | |
Certificate Information | |
============================================================================ | |
Authority: True Time Stamp ( http://TrueTimeStamp.org ) | |
Certificate Number: 4793 | |
Sequential Validity Chain: bd926d4d8543d1f21a7d8e0e2280f82a7eef197e44c070a44f753f2ebb65f3d7 | |
============================================================================ | |
Important Note | |
============================================================================ | |
1 - Backup copy of the original unaltered file must be kept to authenticate | |
this certificate. | |
2 - Some editing programs may inadverently alter files by including the | |
"save time" in the file contents, or changing character encoding, even if | |
no edits are made. Back-up using your operating system's copy function | |
rather than "Save As". | |
============================================================================ | |
Verification Procedures | |
============================================================================ | |
Online - Single File Certificate: | |
- Supply the ORIGINAL FILE to http://TrueTimeStamp.org for verification. | |
Online - Multiple File Certificate: | |
- Supply THIS CERTIFICATE to http://TrueTimeStamp.org for verification. | |
- Additionally, for each file that you want to prove existed at the time | |
point above, you must confirm that the SHA-2 of these file(s) matches | |
those listed above (see instructions "Calculate SHA-2 Fingerprint of a | |
file" below). | |
Offline Procedures: | |
- Use these procedures if http://TrueTimeStamp.org ceases to exist, or if | |
you would like to independently confirm the electronic signature of this | |
certificate. | |
- Obtain GPG software ( https://www.gnupg.org/download ) | |
- Obtain the True Time Stamp Public Key, from any of the servers below, by | |
searching by email: | |
EMAIL: signing-department@TrueTimeStamp.org | |
KEY ID: 0x6f3b2e6ab748a8f8 | |
KEY Fingerprint: 0x83289060f40ded088cf246b56f3b2e6ab748a8f8 | |
- http://truetimestamp.org/public-keys | |
- https://pgp.mit.edu | |
- http://keyserver.cns.vt.edu:11371 | |
- http://keyserver.lsuhscshreveport.edu:11371 | |
- http://keyserver.ubuntu.com | |
- https://keyserver.pgp.com | |
- http://keyserver.searchy.nl:11371 | |
- http://keyserver.compbiol.bio.tu-darmstadt.de:11371 | |
- Download the appropriate key, save as TrueTimeStamp-key4-DSA-3072.asc | |
- Optionally, verify the fingerprint of the public key. | |
PUBLIC KEY SHA-2 FINGERPRINT, base64 representation, UTF-8, | |
UNIX-style line breaks, without headers or footers: | |
16fecee8a5fd4cc39facfd1c5db36fe2eec553cf0dfa2e7496d4a3556027790e | |
- Import the downloaded public-key via command-line: | |
gpg --import TrueTimeStamp-key4-DSA-3072.asc | |
- Verify the authenticity of this certificate via command-lines: | |
gpg --import TrueTimeStamp-key4-DSA-3072.asc | |
gpg --verify myCertificateFile | |
- For multi-file certificates, you may also confirm that: | |
Stored SHA-2 Fingerprint matches the "Constituent Files" section | |
- Copy & Paste text under "Constituent Files" section into a | |
separate file, and save without trailing spaces and using | |
UNIX-style newlines. | |
- Calculate SHA-2 of this file, and confirm that this matches the | |
Stored SHA-2 fingerprint. | |
- For each file that you want to confirm the time stamp, calculate its SHA-2 | |
fingerprint, and confirm that this is present in this certificate above. | |
To Calculate SHA-2 Fingerprint of a file: | |
- Online at http://TrueTimeStamp.org | |
- Using software such as sha256sum, or openssl, with the command-lines: | |
sha256sum MyFileName | |
openssl dgst -sha256 MyFileName | |
Sequential Validity Chain: | |
- Guards against back-dating any time stamp, or removing any time stamp | |
in the future. | |
- Consists of SHA-2( Sequential Validity Chain of previous certificate, | |
SHA-2 of current file, UNIX Time Stamp). | |
- Validity Chains are intermittently submitted to other Time Stamping | |
Services. | |
-----BEGIN PGP SIGNATURE----- | |
Version: GnuPG v1.4.5 (GNU/Linux) | |
iFcDBQFYNpHtbzsuardIqPgRCINsAQCwLsHXtNJNhf3hllnpLjntfSqUdE4K8+0y | |
/V62DEEBhQEAv0PwyX501kwwFtAWGeuiKVug5IpeV7tNJ5l8dDhLxz0= | |
=bUor | |
-----END PGP SIGNATURE----- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment