gnupg installation and verification
Tony Lane
codeguro at gmail.com
Sat Jun 8 00:28:51 CEST 2019
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
GPG is an implementation of the OpenPGP standard.
It's software that can help you utilize the tools of public key cryptography.
Public key cryptography comes in two flavors: encryption and signatures.
The PGP signatures you saw is a special hash that aids in verifying the authenticity of some data. You do this by trusting the public key of some distributor(s) or persons. The signature scheme then allows you to ensure the authenticity of the contents even if it goes through some insecure medium. You can be sure that if the signature is valid that it has been signed by the private key corresponding to the public key you trusted and that it has not been tampered with. The principle being that some change in the data requires a distinct signature, a signature that can be generated by only the holder of the private key.
Likewise, public key encryption allows you to communicate securely over an insecure medium. As I said before, this is done with public key cryptography, and the key principle here being that the keys for encryption and keys for decryption are distinct. Deriving the one key from the other is very infeasible. The keys used to encrypt the payload are public and can be exchanged freely, hence the name public keys. The keys used to decrypt the payload are kept secure and known only to the person who generated the keypair, hence the name private keys. Using this scheme you can establish a secure channel and communicate securely without meeting up in person and agreeing on a shared secret. This, paired with signatures, allows you to not only communicate some secret, but also ensure that this secret hasn't been tampered with.
You can read the tutorial for GPG here. https://futureboy.us/pgp.html
For more details, you can see the GPG manual here: https://www.gnupg.org/documentation/manuals.html
On 6/7/19 3:13 PM, Samir Zulfiquar wrote:
> Hello I just downloaded gnupg and tried to install and verify it. Unfortunately I hardly know how to do anything with a computer other than the basics, so maybe I just didn't interpret the instructions correctly. I downloaded the installer and the open pgp signature to verify it (I have no clue what a pgp signature even is). after I downloaded both I opened the pgp signature file which didn't seem to do much other than bring up text of some sort of code. I then installed gnupg, but I wasn't sure if I verified it correctly. so I decided to try again. I looked at the website again and tried right clicking on the gpg4win-3.1.8 file and went to "moreGpgEX options" and clicked verify. The computer tried to verify it with the pgp signature file but failed. I then went to the wiki page on integrity checks. Most of the things there were too technical for me to understand. the only thing I was able to do is check the file length, which was exactly what it was supposed to be. It dose
> not seem like there were any download problems, but I highly doubt it could be an attacker like the website said (I downloaded both of the files from gnupg's own website and not some other place) Anyway could someone explain in Leyman's terms what to do? Sorry if the question sounds stupid.
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-----BEGIN PGP SIGNATURE-----
iLgEARMKAB0WIQQWZv6JZKxO310TWtXo8fj9gx4T0wUCXPrlIwAKCRDo8fj9gx4T
0zNbAgjCE1lKuc1nPWrGNwg5LgIRSgXrKs5blMekU99GrpfHzEnk7qtOwYmtPmqd
d9Nt9IlEqKos3XdHJGPi8pSYvhPwWgIJAbouNtKbB6Ljb6s5kwD8usgI0gpj7j6u
C0P49xJ/qxge3M4VgAKSlI2aQy4lcgJ/FdaCmY45h8+oKJXHRN4TLDrf
=D4bp
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list