Skip to content

Instantly share code, notes, and snippets.

@grempe

grempe/TrueTimeStamp-certificate-4793.txt Secret

Created November 24, 2016 07:44
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save grempe/328907f01a03346a519e8ada92904ec1 to your computer and use it in GitHub Desktop.
Save grempe/328907f01a03346a519e8ada92904ec1 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gpg2 --verify
# VERIFYING A SIGNATURE CREATED BY THIS TOOL
# http://truetimestamp.org/
#
# Bad Output in signature verification
#
# ...
# gpg: DBG: tofu.c:2772: strtoul failed for DB returned string (tail=): Invalid argument
# ...
#
# VERSION
#########
$ gpg2 --version
gpg (GnuPG) 2.1.16
libgcrypt 1.7.3
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /Users/me/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
# IMPORT PUB KEY
################
$ gpg2 --recv-keys 0x83289060F40DED088CF246B56F3B2E6AB748A8F8
gpg: key 0x6F3B2E6AB748A8F8: public key "TrueTimeStamp <signing-department@TrueTimeStamp.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
# TRY TO VERIFY FILE SIGNATURE
##############################
$ gpg2 --verify TrueTimeStamp-certificate-4793.txt
gpg: Signature made Wed Nov 23 23:08:29 2016 PST
gpg: using DSA key 0x6F3B2E6AB748A8F8
gpg: Good signature from "TrueTimeStamp <signing-department@TrueTimeStamp.org>" [marginal]
gpg: DBG: tofu.c:2772: strtoul failed for DB returned string (tail=): Invalid argument
gpg: DBG: tofu.c:2774: strtoul failed for DB returned string (tail=): Invalid argument
gpg: signing-department@truetimestamp.org: Verified 1 signature in the past
0 seconds, and encrypted 0 messages.
gpg: Warning: we've only seen one message signed using this key and user id!
gpg: Warning: you have yet to encrypt a message to this key!
gpg: Warning: if you think you've seen more signatures by this key and user
id, then this key might be a forgery! Carefully examine the email address
for small variations. If the key is suspect, then use
gpg --tofu-policy bad 83289060F40DED088CF246B56F3B2E6AB748A8F8
to mark it as being bad.
gpg: WARNING: This key is not certified with sufficiently trusted signatures!
gpg: It is not certain that the signature belongs to the owner.
Primary key fingerprint: 8328 9060 F40D ED08 8CF2 46B5 6F3B 2E6A B748 A8F8
Raw
TrueTimeStamp-certificate-4793.txt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
============================================================================
Certificate
============================================================================
In conjunction with the file(s) that produce the following SHA-2 fingerprint,
and in conjunction with the verification procedures available on
TrueTimeStamp.org (copy available below), this certifies that the following
file existed and was time-stamped on:
Time: November 24, 2016 7:08:29 am GMT
Stored SHA-2 Fingerprint:
25a43d0e7325097a0fa7e358cca2da04c285ea7367089eb8497d7daaab1fb1c1
Certificate Type: submitted-hash
Constituent Files:None Provided.
============================================================================
Certificate Information
============================================================================
Authority: True Time Stamp ( http://TrueTimeStamp.org )
Certificate Number: 4793
Sequential Validity Chain: bd926d4d8543d1f21a7d8e0e2280f82a7eef197e44c070a44f753f2ebb65f3d7
============================================================================
Important Note
============================================================================
1 - Backup copy of the original unaltered file must be kept to authenticate
this certificate.
2 - Some editing programs may inadverently alter files by including the
"save time" in the file contents, or changing character encoding, even if
no edits are made. Back-up using your operating system's copy function
rather than "Save As".
============================================================================
Verification Procedures
============================================================================
Online - Single File Certificate:
- Supply the ORIGINAL FILE to http://TrueTimeStamp.org for verification.
Online - Multiple File Certificate:
- Supply THIS CERTIFICATE to http://TrueTimeStamp.org for verification.
- Additionally, for each file that you want to prove existed at the time
point above, you must confirm that the SHA-2 of these file(s) matches
those listed above (see instructions "Calculate SHA-2 Fingerprint of a
file" below).
Offline Procedures:
- Use these procedures if http://TrueTimeStamp.org ceases to exist, or if
you would like to independently confirm the electronic signature of this
certificate.
- Obtain GPG software ( https://www.gnupg.org/download )
- Obtain the True Time Stamp Public Key, from any of the servers below, by
searching by email:
EMAIL: signing-department@TrueTimeStamp.org
KEY ID: 0x6f3b2e6ab748a8f8
KEY Fingerprint: 0x83289060f40ded088cf246b56f3b2e6ab748a8f8
- http://truetimestamp.org/public-keys
- https://pgp.mit.edu
- http://keyserver.cns.vt.edu:11371
- http://keyserver.lsuhscshreveport.edu:11371
- http://keyserver.ubuntu.com
- https://keyserver.pgp.com
- http://keyserver.searchy.nl:11371
- http://keyserver.compbiol.bio.tu-darmstadt.de:11371
- Download the appropriate key, save as TrueTimeStamp-key4-DSA-3072.asc
- Optionally, verify the fingerprint of the public key.
PUBLIC KEY SHA-2 FINGERPRINT, base64 representation, UTF-8,
UNIX-style line breaks, without headers or footers:
16fecee8a5fd4cc39facfd1c5db36fe2eec553cf0dfa2e7496d4a3556027790e
- Import the downloaded public-key via command-line:
gpg --import TrueTimeStamp-key4-DSA-3072.asc
- Verify the authenticity of this certificate via command-lines:
gpg --import TrueTimeStamp-key4-DSA-3072.asc
gpg --verify myCertificateFile
- For multi-file certificates, you may also confirm that:
Stored SHA-2 Fingerprint matches the "Constituent Files" section
- Copy & Paste text under "Constituent Files" section into a
separate file, and save without trailing spaces and using
UNIX-style newlines.
- Calculate SHA-2 of this file, and confirm that this matches the
Stored SHA-2 fingerprint.
- For each file that you want to confirm the time stamp, calculate its SHA-2
fingerprint, and confirm that this is present in this certificate above.
To Calculate SHA-2 Fingerprint of a file:
- Online at http://TrueTimeStamp.org
- Using software such as sha256sum, or openssl, with the command-lines:
sha256sum MyFileName
openssl dgst -sha256 MyFileName
Sequential Validity Chain:
- Guards against back-dating any time stamp, or removing any time stamp
in the future.
- Consists of SHA-2( Sequential Validity Chain of previous certificate,
SHA-2 of current file, UNIX Time Stamp).
- Validity Chains are intermittently submitted to other Time Stamping
Services.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iFcDBQFYNpHtbzsuardIqPgRCINsAQCwLsHXtNJNhf3hllnpLjntfSqUdE4K8+0y
/V62DEEBhQEAv0PwyX501kwwFtAWGeuiKVug5IpeV7tNJ5l8dDhLxz0=
=bUor
-----END PGP SIGNATURE-----
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment