Contents | ||
 | OS/2 and eComStation homepage | |
 | Install PGP | |
| Load my public PGP key | |
| Check my public PGP key | |
| Load detached signature certificate | |
| Perform the check | |
Install PGP
First of all you need to install PGP. I use PGP V5.0 for OS/2, this version is able to create and use both the old RSA and the new DSS/Diffie-Hellman keys.It is important to know, that the new DSS/Diffie-Hellman keys of version 5.0 and its signatures cannot be used from users of version 2.6.3ia and below. Since PGP 5.0 can use old keys anyway, a good compromise is to create and use an RSA key, so that users of version 2.6.3ia and below can use your key and signatures.
Make sure that for PGP V5.0, you set the configuration option version of PGP.CFG to 3 otherwise PGP messages will not be compatible with PGP version 2.6.3ia.
Sources for OS/2 and other Platforms:
 |
The International PGP Home Page - Download |
![[Top]](/img/top.gif)
Load my public PGP key
Copy my public PGP Key into a file on your harddisk and import this key with the command:pgp -ka filename (PGP V2.6.x)
pgpk -a filename (PGP V5.0)
With PGP V5.0 you can also import my key directly from my website with the command
pgpk -a http://www.clanganke.de/os2/pgp/chris.key
Take a look at the newly imported key and its signatures with:
pgp -kvv "Christian Langanke" (PGP V2.6.x)
pgpk -ll "Christian Langanke" (PGP V5.0)
Note, that I signed my own key. That makes sure, that nobody (except me) manipulated the user id.
When you use PGP keys from public sources (such as keyservers), you shoud pay attention on that such a key is always as a minimum signed by its owner. Do not trust any key, that is not self-signed, even when it is signed by others, because this also could have been done by an attacker.
On the other hand, a self-signature only proves that the user id is valid.
It does not prove, that a key is from the person, who signed it. For to know this,
still other signatures of keys, that you trust, are still required.
The first command checks the signatures and generates warning messages, if a signature
has been modified. If such a warning message is not show, the signatures are ok.
The second command displays the fingerprint of my key,
compare it with this PGP fingerprint.
If both are identical, the key is valid.
As an example: Your zip file is named archive.zip, you have saved the certificate
in a file named cert.txt, then the check command is:
Then PGP displays either a message, that the signature is good or invalid.
Note, that only an absolute unmodified zip file passes this test.
For the check of software or encryption of not very important mail to unknown people
a self-signed PGP key should be sufficient. For encrypting very important personal messages,
I would not use such a key though.
Check my public PGP key
Check my public key by examining the signatures and the PGP fingerprint of this key.
Execute the following commands:
pgp -kc "Christian Langanke" (PGP V2.6.x)
pgpk -c "Christian Langanke" (PGP V5.0)
pgp -kvc "Christian Langanke" (PGP V2.6.x)
pgpk -ll "Christian Langanke" (PGP V5.0)
Load detached signature certificate
Copy the detached PGP signature certificate into a fil on your harddisk.
You find a link to a certificate always in the same section, where the link
for the download of the zip file resides. The link to a certificate is marked with
the symbol 
.
Perform the check
Beside the signature certificate of course you still need the zip file to be checked.
When you have both files on your harddisk ready for check, the following command
checks the zip file:
pgp certificate_file zip_file (PGP V2.6.x)
pgp v certificate_file (PGP V5.0 - enter the zip filename when prompted for)
pgp cert.txt archive.zip (PGP V2.6.x)
pgp v cert.txt (PGP V5.x - enter the zip filename when prompted for)
| Impressum | Search | This website in other languages | Last update: 15. Jul 2008 | © Christian Langanke 1997-2010 |