AidanMontareDotNet

Security

This page contains information that can be used to verify the authenticity of data that appears to originate from Aidan Montare. You can use this information to detect any active interception of the traffic between you and me.

However, if the current page is being intercepted, you cannot assume this page can be trusted. An attacker might change the information on this page so that it verifies if the data comes from the attacker, not Aidan Montare. To have the best confidence in the integrity of the data, load this page over a connection that you are most certain has no interception.

GPG Key

Download my GPG keys.

You can copy the text of the key into a file and run gpg --import FILE to import the key into your keyring, or you can download the keys from the SKS Keyservers Network. You might want to use this in order to get the most recent signatures on my keys. Read this for some tips. Here are some basic actions:

search for a keys with NAME in them and interactively import it gpg --search-keys NAME
refresh keys that have already been imported gpg --refresh-keys
edit a key NAME interactively (type help for commands) gpg --edit-key NAME
send a key NAME that you have modified (i.e. by signing it) to a keyserver gpg --send-keys NAME

Change the command to gpg --keyserver KEYSERVER ... to run the command in relation to KEYSERVER rather than the default. Note that many keyservers are part of the SKS network, so once you send the keys to one, they will all synchronize within a few minutes. More information in the manual.

File Checksums

I often use my GPG key to sign the releases of my projects.

Project releases should accompanied by two files: SHA512SUMS and SHA512SUMS.asc. The first is a list of file checksums. This file can be used to verify that the project releases have not been tampered with. The second is an ASCII-armored GPG signature of the checksums. This file can be used to verify that the SHA512SUMS file has not been modified.

To verify a project release, first get my GPG key (above). Then, run gpg --verify SHA512SUMS.asc SHA512SUMS in the directory with those files. If GPG reports a good signature, then the checksums can be trusted. Note that you may receive an error about trust if you have not assigned a trust value to my key.

Now you can verify the files themselves with the following command: sha512sum -c SHA512SUMS. The sha512sum program will automatically compare the checksums in SHA512SUMS to the checksums of the actual files (which must be in the current directory as well). There may be errors if not all of the files are present in the current directory, which is fine. Just make sure the files you did download verify successfully.

If these steps return no errors, then you can have strong confidence that the release files have not been tampered with.

Git Commits

Some commits to the repositories at code.aidanmontare.net are also signed. Read more about using Git and GPG to understand how to validate these.

GPG Tips

GPG is pretty easy to use once you get the gist of it. Try gnupg.org for some basic information.

You can generate a GPG key for yourself with gpg --gen-key. List your keys with gpg -k, the fingerprints with gpg --fingerprints, the signatures with gpg --check-sigs, or your private keys with gpg -K. Export the public key with gpg --armor --export KEY (omit --armor to get the GPG key format instead of text).

The following two commands (put together with && so they run consecutively) will gather checksums of every file in the current directory (excluding files in subdirectories), output them to a file, and then create a detached GPG signature of the file:

find . -maxdepth 1 -not -type d -not -name SHA512SUMS -exec sha512sum {} > SHA512SUMS \; && gpg -b --armor SHA512SUMS

Aren’t command lines fun? If you like this and want not to have to type it all the time, put the following in your ~/.bashrc file:

function sha512dir {
find . -maxdepth 1 -not -type d -not -name SHA512SUMS -exec sha512sum {} > SHA512SUMS \; && gpg -b --armor SHA512SUMS
}

Now in any of your user’s bash terminals, you can type sha512dir and have all the files in the directory checksummed and signed.

You should be able to set git to automatically sign all commits: git config --global commit.gpgsign true, but I can’t get this to work.

More about Git signing.