[Eng: Tutorial] PGP Signature - Encrypt/Decrypt message - Fingerprint - page 2.

Husna QA

legendary

Activity: 2254

Merit: 2852

#SWGT CERTIK Audited

Quote from: LoyceV on November 20, 2020, 05:11:08 AM

I don't have that option (in Kleopatra, running Linux) under the Tools menu, but it works from the system tray. I have the Certificate imported under "Other Certificates". -snip-

Recently I tried Kleopatra version 3.0.1 on Ubuntu 18.04.5 LTS and managed to verify the message.
Maybe the following methods worked for you too:

- Copy the Public Key into Clipboard.
- At Kleopatra, click the Clipboard button, select Certificate Import.

- The User ID is still not certified; Right-click selects Certify...

- Copy the signed message to Text Editor and save it with the file extension * .asc.

- Click the Decrypt/Verify button and select the * .asc file.

- Here are the results:

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: Husna QA on November 19, 2020, 09:03:44 PM

Then I tried it at Kleopatra. I tried to import the public key via the Tools menu -> Clipboard -> Certificate Import (I see this method is not in the OP).

I don't have that option (in Kleopatra, running Linux) under the Tools menu, but it works from the system tray. I have the Certificate imported under "Other Certificates".

Quote

Then verify the message

I did this also from the system tray, but get this:
Image loading...

I have no idea how to proceed Sad

I have another message I want to verify (for a potential scam accusation thread), and that one I can't share.

Husna QA

legendary

Activity: 2254

Merit: 2852

#SWGT CERTIK Audited

Quote from: LoyceV on November 19, 2020, 06:15:57 AM

-snip-
After trying to verify, Kleopatra tells me this:

Quote

Not enough information to check signature validity.
Signed on Thursday, 19 November 2020 10:57:13 CET by [email protected] (Key ID: 0x77379A5D).
The validity of the signature cannot be verified.

There may be a problem importing a public key/fingerprint at Kleopatra.

I was able to verify the message using GPG Keychain on macOS.

Then I tried it at Kleopatra. I tried to import the public key via the Tools menu -> Clipboard -> Certificate Import (I see this method is not in the OP). Then verify the message, and here are the results:

DdmrDdmr

legendary

Activity: 2310

Merit: 10758

There are lies, damned lies and statistics. MTwain

Stumbling myself a fair share on my local board with PGP (no need to see PGP ¿Puedes enviar mensajes cifrados?), so exploring the PGP Newbie avenues myself.

Doing so, I’ve encountered the following issue:
-   I’ve created a new PGP pair, and published my PGP public key (using Kleopatra).

-   @FullNode published a message on a post, using my PGP public key to create his (not sure though which software he used).

-   When I try to decrypt the message, I get:

Code:

El cifrado falló: sin protección de identidad (MDC) ..
Nombre de archivo incrustado: 'text.txt'
Pista:Si este archivo se cifró antes del año 2003 es muy posible que sea ilegítimo. Esto es debido a que la protección de integridad no se usaba ampliamente.

Si usted confía en que el archivo no se manipuló, debería volver a cifrarlo antes de forzar el descifrado.

Destinatario: ddmrddmr (E68F 78F5 AE23 5184)

Pressing "diagnostics" shows:

Code:

gpg: NOTA: el cifrado CAST5 no aparece en las preferencias del receptor
gpg: cifrado con clave de 3072 bits RSA, ID E68F78F5AE235184, creada el 2020-11-19
      "ddmrddmr"
gpg: ATENCIÓN: la intgridad del mensaje no está protegida
gpg: Hint: If this message was created before the year 2003 it is
     likely that this message is legitimate.  This is because back
     then integrity protection was not widely used.
gpg: Use the option '--ignore-mdc-error' to decrypt anyway.
gpg: decryption forced to fail!

The "force cypher" button on Kleopatra does nothing.

The quote’s above are in Spanglish, but the basic issue that does not allow for the message to be decrypted, seems to be that my cypher default algorithm on Kleopatra is "AES", while @ FullNode encrypted the message using "CAST5".

I would have expected the PGP tools to be able to figure it out on their own, but it seems not, which is also something to ponder (that or my Newbie PGP status). I tries changing from AES to CAST5 on Kleopatra’s configuration, but still got nowhere (when I closed/reopened Kleopatra, it went back to AES anyway).

Anyone know how frequent these cypher algorithm clashes occur, and whether it is tool dependent and/or resoluble using Kleopatra on the message decoding side ?

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Total PGP n00b here Sad

I'm trying to verify a PGP signed message.
This is the message:

Code:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

{
  "comment": "Never share your Letter of Guarantee with third parties. Attach this document to our Support Team only when you are facing problems with your mixing order. The Letter of Guarantee is only available during the active mixing operation. After the completion all data about your order will be deleted automatically from our database.",
  "createdAt": "2020-11-19T09:57:06.272Z",
  "orderId": "8met22-y42jhq-113f2m",
  "currency": "BTC",
  "serviceFee": "3.68%",
  "feePerAddress": "0.00025 BTC",
  "depositAddress": "3MCTfAkzR41eGJhPwvBHQ2EuL66JsGx4VH",
  "destinations": [
    {
      "address": "1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD",
      "share": "100.0%",
      "delay": "129 minutes"
    }
  ]
}
-----BEGIN PGP SIGNATURE-----

wsFcBAEBCgAGBQJftkF5AAoJEMAcNId3N5pdvUcQAJKd9AuhleFpHAVgfWZ/
xVXigNTyVAUrkcz+mhYjYzgK7wvsWpPdQ5nl91EcZrqyQykbSvRB3YR68/32
jZGVkbXbEkuph6aXABb1rcAo7dmI7MaroMaWg1HLN+Lz1zEjljYJNgeKrHNN
+VlMdO2ucLRyBnDJOeBccaIVTyT6qflyjOXNLaIjebdlYmp2EPFc/abx5N2A
hCdT0Yk7qsTH7RPwwRordt05LhF018g0Azjb7/GR8mdCCgKPpgOsxYoIMcEE
KtG/71xrItsbBRNPxQKaS2VrjGYyaHGvQ6P1XJ99TR/t4RZotaMyLcoIjBEN
Z5Sdb0sFjZOCuyFScDR/3FkiKqVIUzWeyAyGaWfKxHsJdT5grTZtmrBCb25n
sGj+P9vk6OktLkA06rWszGcl4z0TfWlHbE0Xo7dK2RN4oJS6LF2GjwDO/BVD
fpsKpZ4Z2r+1VVF/G+zI2+9hTocRFMCCmWdvEfMSLIfu6G5Ln4CeBFbXO7cD
LHzKKNlNtLTZbpHhprrljb09gOqebAQ2hCGBt4jP+ZgmQvWGHfgVL7x4kZjw
9Xk1x9h+TKfNEBN5j38tDpna5k9PgF3EV4fyv0dBIu5Sruf8ekvqw6c4dI9W
no6JyJLpuQQFL4NB+kWXcUg7tfzEqK0/zhgCp+MjKdst0VxRrsg/tGh3RGS5
KSBB
=h7XR
-----END PGP SIGNATURE-----

And this is the PGP public key:

Code:

After trying to verify, Kleopatra tells me this:

Quote

Not enough information to check signature validity.
Signed on Thursday, 19 November 2020 10:57:13 CET by [email protected] (Key ID: 0x77379A5D).
The validity of the signature cannot be verified.

Am I doing something wrong?

Husna QA

legendary

Activity: 2254

Merit: 2852

#SWGT CERTIK Audited

Quote from: Maus0728 on November 18, 2020, 01:33:41 AM

-snip- Is there any other workaround where I can directly paste my "Fingerprint" to MIT PGP Key Server for lookup instead of manually creating a link of -snip-

If you have successfully uploaded your public key at https://pgp.mit.edu/ or other Key servers, you can replace my fingerprint below with your own:
https://pgp.mit.edu/pks/lookup?search=0x58BC997445D96F68DB65C169A2CA884F183D22E9
http://keyserver.ubuntu.com/pks/lookup?search=0x58bc997445d96f68db65c169a2ca884f183d22e9&fingerprint=on&op=index

You can also use http://keyserver.ubuntu.com/ for Search key/Submit key; Click Advanced Options to view Index options/Index type.

Quote from: Maus0728 on November 18, 2020, 01:33:41 AM

-snip- In MIT Key Server, there are three sections and I assume the "Extract Key" is the section I will be using to search for my public key though I am not sure what string I will be using? Is it the FINGERPRINT itself? -snip-

MIT PGP Public Key Server brief guide:

Quote from: https://pgp.mit.edu/extracthelp.html

Extracting a key

Type the text you want to search for in the ``Search String'' box. If you want to look up a key by its hexadecimal KeyID, you have to prefix the ID with 0x
Select either the ``Index'' or ``Verbose Index'' check box. The ``Verbose'' option will display signatures on keys.
Press the ``Do the search!'' button.
The server will return a list of keys matching the search text. The page will have links for every KeyID, and every bracket-delimited identifier (i.e. < [email protected]>). Clicking on the hypertext link will display an ASCII-armored version of the public key.

Currently, I am personally more comfortable using http://keyserver.ubuntu.com/ instead of https://pgp.mit.edu/

Maus0728

legendary

Activity: 1904

Merit: 1563

Bitcoin Casino Est. 2013

@Husna QA,
Thanks you for the heads up. I've now gone past the same problem they encountered from following the tutorial. I have now changed the default key server to https://pgp.mit.edu/ and was able to lookup my "PGP Public Key Block".

Is there any other workaround where I can directly paste my "Fingerprint" to MIT PGP Key Server for lookup instead of manually creating a link of

Code:

https://pgp.mit.edu/pks/lookup?op=get&search=0x3466CFA83DEBE525F40446E5AC1D3A48A6161C75

In MIT Key Server, there are three sections and I assume the "Extract Key" is the section I will be using to search for my public key though I am not sure what string I will be using? Is it the FINGERPRINT itself?

Husna QA

legendary

Activity: 2254

Merit: 2852

#SWGT CERTIK Audited

Quote from: abdulodoi on November 16, 2020, 11:56:06 AM

An error occurred while trying to export OpenPGP certificates.
Server indicated a failure gpg: keyserver send failed: Server indicated a failure
-snip-

Try changing the OpenPGP keyserver.
If you are using Windows OS and Kleopatra as in the tutorial above, go to Settings -> Configure Kleopatra ...
In the OpenPGP Keyserver column (default: hkps: //hkps.pool.sks-keyservers.net), enter the keyserver that is still active/accessible, https://pgp.mit.edu; http://keyserver.ubuntu.com/; or other servers; then click OK.

Quote from: Husna QA on April 30, 2020, 11:35:34 AM

-snip-

Here's an example of my public key:
http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x58bc997445d96f68db65c169a2ca884f183d22e9

Maus0728

legendary

Activity: 1904

Merit: 1563

Bitcoin Casino Est. 2013

Quote from: abdulodoi on November 16, 2020, 11:56:06 AM

An error occurred while trying to export OpenPGP certificates.
Server indicated a failure gpg: keyserver send failed: Server indicated a failure

It is because the SKS PGP Keyserver is being abandoned due to peoples abuse of known public keys on the server. I stumbled on this article when I tried looking for other keyserver lookup as alternative as I was also following the same tutorial. But still, even without uploading it to a keyserver, you can still verify the pgp signature of an application and encrypt/ decrypt a message.

Quote from: https://code.firstlook.media/the-death-of-sks-pgp-keyservers-and-how-first-look-media-is-handling-it

The Death of SKS PGP Keyservers, and How First Look Media is Handling It
The SKS keyserver network is dying. This has been a long time coming. The nail in SKS’s coffin came in late June when someone abused important public keys that people rely on.

coupable

hero member

Activity: 2338

Merit: 757

Quote from: abdulodoi on November 16, 2020, 11:56:06 AM

An error occurred while trying to export OpenPGP certificates.
Server indicated a failure gpg: keyserver send failed: Server indicated a failure

This is what i got while trying to publish on directory service. Do you know what i did wrong?

Unfortunetly, there is no other guides show you how to interact with pgp signatures here in bitcointalk. I also remember how i followed this guide and face the same error but i didn't look further. Better to ask for opinions directly from users community .
Thanks for bumping this topic, i was looking for it .

abdulodoi

member

Activity: 91

Merit: 35

An error occurred while trying to export OpenPGP certificates.
Server indicated a failure gpg: keyserver send failed: Server indicated a failure

This is what i got while trying to publish on directory service. Do you know what i did wrong?

Quote

It is because the SKS PGP Keyserver is being abandoned due to peoples abuse of known public keys on the server. I stumbled on this article when I tried looking for other keyserver lookup as alternative as I was also following the same tutorial. But still, even without uploading it to a keyserver, you can still verify the pgp signature of an application and encrypt/ decrypt a message.

I don't know why people like to abuse things like this. Indeed i was able to encrypt a message and @OgNasty was about to decrypt it.

Husna QA

legendary

Activity: 2254

Merit: 2852

#SWGT CERTIK Audited

Quote from: mdayonliner on May 20, 2018, 09:18:56 PM

Click here for my Fingerprint on the server.

Code:

81DAEE690159E01E28FF951086FEA0B65C6E1B2C

I added your public key to the list of my GPG keychain (Mac OS)

Quote from: Fondo Platform on May 24, 2018, 10:26:06 PM

I recommend use ecdsa or ed25519 rather than rsa.

Code:

gpg2 --expert --gen-key

ECC: Elliptic-curve cryptography

This is mine:

Quote from: Husna QA on March 29, 2018, 12:09:42 AM

Public Key (ECC) :

Code:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.6
Comment: Hostname: keys2.kfwebs.net

mDMEWrfNQhYJKwYBBAHaRw8BAQdAdbmtnI5jUV8a1ZD3U/O5SfpBOIq/Oy8ZfyoV1eqMe/W0
J0h1c25hIFFBIDxodXNuYS5xdXJyb3RhLmEuMDJAZ21haWwuY29tPoiQBBMWCAA4FiEEybKQ
yMh8m7X0QOgq0h/QQwau02IFAlq3zUICGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQ
0h/QQwau02L1swD+NC0xZ+UydJYspOVwMJEWwNryXiTmTo6ZMqqNCqYse3sBALZnx+yd9BQ8
Jdlt4CVLvEmZ9y98TZokm1P/5F5ai7wMuDgEWrfNQhIKKwYBBAGXVQEFAQEHQDG6zTZiDnDq
FTpjHMxIQrH0bMkgVUUdGS/VxSpnIU4zAwEIB4h4BBgWCAAgFiEEybKQyMh8m7X0QOgq0h/Q
Qwau02IFAlq3zUICGwwACgkQ0h/QQwau02KEXgEAwAHLV4VvD4P91x+EP5TWtOTbtJhe5Qdo
sZg3c+J1LlkBANCigRMpS0AJSxebWwe9XcpEpuQ8NViTC3fx7MQrTa0AiJAEExYIADgWIQTJ
spDIyHybtfRA6CrSH9BDBq7TYgUCWrfNQgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAK
CRDSH9BDBq7TYvWzAP40LTFn5TJ0liyk5XAwkRbA2vJeJOZOjpkyqo0Kpix7ewEAtmfH7J30
FDwl2W3gJUu8SZn3L3xNmiSbU//kXlqLvAw=
=vPXh
-----END PGP PUBLIC KEY BLOCK-----

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

@madnessteat
The program stores your keyrings here: C:\Users\UserName\AppData\Roaming\gnupg
So even if you uninstall the software your keys should remain in that folder. That is why you see them the 2nd time you install Kleopatra on your device.

Source:
http://wald.intevation.org/forum/forum.php?thread_id=1226&forum_id=21&group_id=11

madnessteat

legendary

Activity: 2240

Merit: 2005

Quote from: mdayonliner on March 09, 2019, 02:13:40 PM

You will need to import your private key. It's important you always keep the backup of your private key.

You do not understand me. Sorry for my English. When I install the program a second time, it automatically shows me my certificate (name and email).
I entered the installed program only:

The program does not ask me to enter anything when you first enter.

Before removing the program, I should to delete the certificate manually?

mdayonliner

copper member

Activity: 630

Merit: 420

We are Bitcoin!

Quote from: madnessteat on March 09, 2019, 02:04:08 PM

Tell me please. When I delete the Kleopatra and install it again, my certificate immediately appears in it. Where is it stored on the computer, if I did not import it into my computer?

You will need to import your private key. It's important you always keep the backup of your private key.

madnessteat

legendary

Activity: 2240

Merit: 2005

Tell me please. When I delete the Kleopatra and install it again, my certificate immediately appears in it. Where is it stored on the computer, if I did not import it into my computer?

electrobit

member

Activity: 317

Merit: 81

Next to Full Member Rank.

Quote from: TryNinja on May 26, 2018, 07:06:50 PM

Quote from: electrobit on May 26, 2018, 06:12:36 PM

Could someone explain what is the purpose or advantages about to create or make a PGP?

Mostly privacy. You don't want the NSA reading your emails, do you?

Quote

PGP is useful for two things: 1. Privacy and Security, and 2. Authenticity. By privacy, I mean that you can prevent people from seeing things. For example, you can encrypt an email to someone, or encrypt a file with a list of passwords. By Authenticity, I mean that you can ensure a message was sent/written by the person you think it was, and that it wasn't modified by a third party. Of course, these two can be combined. I'll discuss these further.

Source: https://www.phildev.net/pgp/gpgwhy.html

Got it!

TryNinja

legendary

Activity: 2758

Merit: 6830

Quote from: electrobit on May 26, 2018, 06:12:36 PM

Could someone explain what is the purpose or advantages about to create or make a PGP?

Mostly privacy. You don't want the NSA reading your emails, do you?

Quote

PGP is useful for two things: 1. Privacy and Security, and 2. Authenticity. By privacy, I mean that you can prevent people from seeing things. For example, you can encrypt an email to someone, or encrypt a file with a list of passwords. By Authenticity, I mean that you can ensure a message was sent/written by the person you think it was, and that it wasn't modified by a third party. Of course, these two can be combined. I'll discuss these further.

Source: https://www.phildev.net/pgp/gpgwhy.html

electrobit

member

Activity: 317

Merit: 81

Next to Full Member Rank.

Could someone explain what is the purpose or advantages about to create or make a PGP?

Fondo Platform

newbie

Activity: 51

Merit: 0

I recommend use ecdsa or ed25519 rather than rsa.

Code:

gpg2 --expert --gen-key

Code:

gpg (GnuPG) 2.1.8; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)

ECC: Elliptic-curve cryptography

Topic: [Eng: Tutorial] PGP Signature - Encrypt/Decrypt message - Fingerprint - page 2. (Read 2350 times)