____________________

                           CRYPTOGRAPHY HOWTO

                           David K. Trudgett
                          ____________________


Table of Contents
_________________

1. The OpenPGP Standard
2. Getting Set Up With OpenPGP Tools
3. How to Verify the Integrity and Authorship of Files in this Gopherhole
.. 1. Downloading and Importing the Key from here
.. 2. Obtaining the Public Key from a Public Keyserver
.. 3. Verifying a Downloaded File Against its Signature





1 The OpenPGP Standard
======================

  OpenPGP is the internet open standards take on Phil Zimmermann's
  original PGP encryption program, and subsequent development of it. For
  an overview, you may wish to refer to the [Pretty Good Privacy]
  article on Wikipedia.

  Many sources of information, including the [OpenPGP website] itself,
  will tell you that OpenPGP is an email encryption standard. That is
  not true. It is an open encryption standard which can be applied to
  virtually anything, such as files, documents, whole disk contents, and
  so on. It is also commonly applied to email communications; however,
  it is not limited to that domain.

  This gopherhole, for instance, uses OpenPGP (and, in particular, the
  GnuPG implementation of it) to provide cryptographic signatures for
  the main files which are available for download. When you verify these
  signatures, you can be assured of two things:

  1. The file was created by me; and
  2. The file has not been altered in any way, shape or form since I
     created and signed it. This also tells you that the file was not
     corrupted during the download process.


[Pretty Good Privacy]
<https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP>

[OpenPGP website] <https://www.openpgp.org/>


2 Getting Set Up With OpenPGP Tools
===================================

  All of the major platforms, such as Linux, BSD*, Mac OS, Windows, iOS
  and Android, have OpenPGP implementations available for them.

  If you have not yet read my Recipe for Freedom snippet, you should
  consider doing so, as it contains further rationale and links to
  practical things you can do increase privacy and freedom in general.


3 How to Verify the Integrity and Authorship of Files in this Gopherhole
========================================================================

  Having installed and configured your OpenPGP implementation according
  to the suggestions under the previous heading, you are now ready to
  perform the simple steps required to verify the integrity and
  authorship of the files you download from this gopherhole.

  When you download a PDF article or image file from this gopherhole,
  download its signature file at the same time. Do not wait until later
  to download the signature file, for the simple reason that if the
  document or file is updated in the gopherhole in the future, so will
  its signature be updated, and you will never be able to verify the old
  file because you do not have the old signature that goes with it. All
  you could do in that case would be to download the updated file and
  the updated signature and verify the new file only.

  Once you have both the file and the signature that goes with it (named
  the same, but with an additional `.sig' extension), then you are set
  to verify the integrity of the file.

  The first time you verify one of my files, you will need to retrieve
  my public key to use in the verification process. This is a once-off
  thing, which you will not need to repeat. You can get this key either
  by downloading it directly from this gopherhole (in the `resources'
  folder or main index), or by obtaining it from one of the public
  "keyservers" that are out there.


3.1 Downloading and Importing the Key from here
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  These are the required steps:

  1. Go to the main index or resouces folder of this gopherhole, and
     find the link to download my public key, and download it to your
     computer.
  2. Use your keyring manager, for example, Kleopatra, to import the
     downloaded public key (sometimes called a "certificate").
  3. Use your keyring manager to check that the fingerprint of the
     imported key matches the one published in this gopherhole or the
     website.

  You can generally also use a command line to do this, if you wish. For
  example, to import a key from `some-key.asc':

  ,----
  | $ gpg --import some-key.asc
  `----

  Downloading my key from here obviously assumes that the Torah Toolbox
  gopherhole itself has not itself been compromised.


3.2 Obtaining the Public Key from a Public Keyserver
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  There are only two steps required for this:

  1. Use your keyring manager, for example, Kleopatra, to search for and
     import my public key. Search for `david@trudgett.me'
  2. Use your keyring manager to check that the fingerprint of the
     imported key matches the one published in this gopherhole or the
     website.

  Using the `gpg' command line, you could do the same with the following
  command:

  ,----
  | $ gpg --search-keys david@trudgett.me
  `----


3.3 Verifying a Downloaded File Against its Signature
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  With the `.sig' file and the document file in the same
  folder/directory, follow these steps:

  1. Open your keyring manager, for example, Kleopatra, and select the
     option to verify a file. In Kleopatra, you may find this on the
     toolbar, and it is called, "Decrypt/verify..."
  2. Select the `.sig' file and choose "Open".

  If all goes well, you will have a message displayed to you which says
  that a valid signature from me (my email address) was found.

  You can generally do the same thing using the command line, similar to
  the following example:

  ,----
  | $ gpg --verify the-name-of-the-article.pdf.sig
  `----

  and you should get results similar to:

  ,----
  | gpg: assuming signed data in 'the-name-of-the-article.pdf'
  | gpg: Signature made Thu 28 May 2020 09:31:29 AEST
  | gpg:                using RSA key B3F45566982B67549B1FE2865676F1279D1C2A91
  | gpg: Good signature from "David Trudgett <David.Trudgett@emailaddress>"
  `----

  The example commands assume, of course, that you are using GnuPG.