pleas stop misusing your PGP signature

[hopelessanarchist]

i have been only a few hours in the forum, but i have already seen about 5 post in the format:

post text
post text
post text
-----BEGIN PGP SIGNED MESSAGE-----
short out off contex message
-----BEGIN PGP SIGNATURE-----
signature
-----END PGP SIGNATURE-----

NEVER DO THAT, sorry for screaming but if you have done that you have effectively reduced the security of your PGP signature, because anyone cand just copy/paste your signed text and claim to be you.

please just sign full text with a clear context and purpose so they can't be reused by anyone  on a different context

[hopelessanarchist]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

in interest of educating SR people on proper ussage of PGP signatures I made this example to post on my topic about correct usage of pgp signatures
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJSabqRAAoJEMoidm4gJNM+AQsP/jWoCFN98ROa1bAhjGkHkV5e
6fJzNrW3/N/Mm17d5/nvMIDxs8kmYnrbENX7XU0zGrkpXkix8DFF1ooL8fBv4P13
zkv6jnzogze3OK7gV+RxgAJmpOB/gsMPmM9ehLt5skTZxKtsyeUG4VPToG8199Du
YreJnLqvb8YVk3fkmT2593dAVvdMe20y4cVgSlvAKlNyD532d0kq/2O8tk83K+BD
Lb0MMOyPj2IpK/O+bXbtaZ4yDZfeTJjCO87DHS0AlNf2IXuLBeW/nOHGYkgpLZ81
0XuJbqkJ1vMF4VfBxl/3PXVJh5liNuXTDxKbNvQzujJb5TyISonvJEsswl500ZVm
oDnHS4RKi8pTxjPVbwQQy03X0RuUiGOc46S7uNHSuHl5bP47FerqEiQVPlRbCAyv
nRH+o/tjM6UMW9tRgxphI25ObZ9+pzcMWVvH8fQG+mb3X9UYvePLS5B8OrmMiSlk
U+ONFVrG3ABXb5dZuUqNCeF9X0l63yOhYBnKD6mG7LIiuBNeNQyIvOH0MhfVtMes
Z61iPMPlh63wSI+W8SNNN+cajdbVX5AwNLXGbYHYnICUbQ+v1bTspHZFhvT175vt
YOk8LkcygPfriL6tkUJ75A4ZixUzqJ5JSBgtgB+QZ6Jdh28ZgAWYlAvgEMpiqQqY
wMqcgho+4YCW1ar91y9U
=ga1k
-----END PGP SIGNATURE-----

[baller69]

I have full knowledge of using PGP  to message back and forth and to place orders.... but I am very confused by the whole "signature" portion.... when you see someone who has a signature what do you do with that?  do you decrypt it somehow?

[Fluffhead!]

You import it into your pgp program and it verifies if it was signed by a key matching a public key on your key ring.  It verifies the person writing the message has the pw and private key.

What the op was saying is don't put a few words in like " signed" and your message above. If you did this i could type a message, copy your signed generic message under it, and then hope people read the message above and trusted it because of the generic signed one

[hopelessanarchist]

exactly, the problem is that i have already seen several examples off this kind of signature and people buying it in this forum.

[ManInTheMirror]

Uh never thought of that, good point.
Something like:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I'm ManInTheMirror
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJSbAfnAAoJEMwlQO1tp+BLnusQALIsSNLp5wzd7ay4/teTrB8Q
dU/G+dtOabaDJyZWtriY8lR9Z5BJd363ATzHwyjV6YO8ocqI30MlAvwNX20MQAZx
csg1vLwLrB4YfwFjv1qSJ/sUZ0AnEt0frlVctq0xeWag4B6cPWlzRa5W52uMM6Do
wVYCjTMOWGLaaBo1vJXcUbLU3AE4a2Et3lAOmDFsp4P+XnLKxr1H8x7f7MIODNkx
o3l4gwCf23qDEC5GXQ1wzFAoRVU1bYWysbWA/cb81GKqLK2e1Vud77hF6Eju4+5M
9ByjNDxCFWLxaWodZ8kvL+Vm7sL3FAW+wnTqE6hm6C/MwM73kGwbqXA73fxdkjQZ
Iw57Ya1HOM18ZB6nBHMS
=/Vfy
-----END PGP SIGNATURE-----

is very dangerous (don't worry not valid )
Even if you write a PM the message should be unique. e.g. to mention the recipient of the message would be a good way to protect the message.

[Dread Pirate Roberts]

PGP signed messages include the time/date at which they were signed. Alternatively you may date it yourself or make it specific to the circumstance.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This message is to prove I am the Dread Pirate Roberts

Date: 10/26/2013
Time: 18:37 UTC

This message is only a sample. To prove my identity, please encrypt a message to me and ask I decrypt it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJSbAxsAAoJEPMoGw8w0+tzllwQAKJx0aH7MTp5I/4emwUnxAhw
GoVBR+a4QXiGFe4U+XAwCdj4+gJMrcbx9LG+F0sUhWnnfp62RWhPGEgWAviCKiGl
QEIFNwE6/ArQvEDHV+wVkJOJWpxa9xoxPZgclMkohlPfivd0j7lqRyQiAncW5FSo
WUqqmuWneFNu/2rns5skWnjfxpfgR0SUN7DP+RjqOFmoonzQaSy1n8RIb1ZW5fwo
U3i9pIV1OruWGKeNimYYsHXalFsZMNOHiKXhr7D5N3uF+SikX0YAC3lGLdTZa2DI
yJrQKpnFPzqGiYV2wDyKx3eLwQngQBUXbq8BGM8mx7zKURdbvMxrfmwxLY34LrRm
SDDpLUuuJTdyoytn+B2AuGihJoj9EsDWwADX+WrSfb8KpvBrwdLSMfibBT66FGYQ
kotA9QqfP3pHjRaKP18h3KM1lzo+yKD6pSrY3JIYvQPV382Q1C0W9PNkQuDVAcOx
rntCcQtYRDcrKHv9zUH0jGj0BDm1BaT6ZPELIqLNXmFr5tH0B0vTTkcRSWBxaDM6
s4awygbc+Q3RJ0NMLx3g+7Pe7mM42LhNTKadf3vkerrwr0LrSeF6pRHEVPG+PH4H
iEsgbMqJwCQ9hShH6Trb5zKTg47DLxjd1vxijZXTp49mfnGYjPnudoMfBP0E6VBg
UU6zIZGwlOyMHmzATIaL
=G4Nr
-----END PGP SIGNATURE-----

[hopelessanarchist]

PGP signed messages include the time/date at which they were signed. Alternatively you may date it yourself or make it specific to the circumstance.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This message is to prove I am the Dread Pirate Roberts

Date: 10/26/2013
Time: 18:37 UTC

This message is only a sample. To prove my identity, please encrypt a message to me and ask I decrypt it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJSbAxsAAoJEPMoGw8w0+tzllwQAKJx0aH7MTp5I/4emwUnxAhw
GoVBR+a4QXiGFe4U+XAwCdj4+gJMrcbx9LG+F0sUhWnnfp62RWhPGEgWAviCKiGl
QEIFNwE6/ArQvEDHV+wVkJOJWpxa9xoxPZgclMkohlPfivd0j7lqRyQiAncW5FSo
WUqqmuWneFNu/2rns5skWnjfxpfgR0SUN7DP+RjqOFmoonzQaSy1n8RIb1ZW5fwo
U3i9pIV1OruWGKeNimYYsHXalFsZMNOHiKXhr7D5N3uF+SikX0YAC3lGLdTZa2DI
yJrQKpnFPzqGiYV2wDyKx3eLwQngQBUXbq8BGM8mx7zKURdbvMxrfmwxLY34LrRm
SDDpLUuuJTdyoytn+B2AuGihJoj9EsDWwADX+WrSfb8KpvBrwdLSMfibBT66FGYQ
kotA9QqfP3pHjRaKP18h3KM1lzo+yKD6pSrY3JIYvQPV382Q1C0W9PNkQuDVAcOx
rntCcQtYRDcrKHv9zUH0jGj0BDm1BaT6ZPELIqLNXmFr5tH0B0vTTkcRSWBxaDM6
s4awygbc+Q3RJ0NMLx3g+7Pe7mM42LhNTKadf3vkerrwr0LrSeF6pRHEVPG+PH4H
iEsgbMqJwCQ9hShH6Trb5zKTg47DLxjd1vxijZXTp49mfnGYjPnudoMfBP0E6VBg
UU6zIZGwlOyMHmzATIaL
=G4Nr
-----END PGP SIGNATURE-----

Yes they do, but a lot of people doesn't look at it, and just adding it manually along anything else to prevent misusage is the way to go, otherwise an attacker that uses the text quick enough will still be able to pose as you

[baller69]

I guess I'm sorta of unaware of the whole PGP thing but I tried to import DPR's public key and it says "not found"  ...

[flwrchlds9]

I guess I'm sorta of unaware of the whole PGP thing but I tried to import DPR's public key and it says "not found"  ...

Did you import the key into you keychain?

Import DPR key into you GPG client 1st. Some client need to set trust level also or you see message say not trusted.

[Yoda]

I guess I'm sorta of unaware of the whole PGP thing but I tried to import DPR's public key and it says "not found"  ...

I know what it is. 

Look at the key you pasted into your text editor, it has a 4 space indent, right? 

When you highlight a key from a profile here, be sure to highlight just the key... don't go over.  Even if it doesn't look like you highlighted beyond the key text, doesn't mean you didn't... but if you did, you will pick up that indent.   Try it the careful way, and when you paste it, it will not have that indent space... pgp programs will see it now.

[ManInTheMirror]

*snip*

Yes they do, but a lot of people doesn't look at it, and just adding it manually along anything else to prevent misusage is the way to go, otherwise an attacker that uses the text quick enough will still be able to pose as you

In my opinion our main goal should be to educate the users of PGP instead of being like a nanny and make everything fool proof.
DPR raised a good point with that timestamp that I wasn't aware of. So I learned something new and can't be fooled in the future.
If a lot of people don't look at it, then tell them to look at it. The other way around there would be more possibilities of failure.

[hopelessanarchist]

*snip*

Yes they do, but a lot of people doesn't look at it, and just adding it manually along anything else to prevent misusage is the way to go, otherwise an attacker that uses the text quick enough will still be able to pose as you

In my opinion our main goal should be to educate the users of PGP instead of being like a nanny and make everything fool proof.
DPR raised a good point with that timestamp that I wasn't aware of. So I learned something new and can't be fooled in the future.
If a lot of people don't look at it, then tell them to look at it. The other way around there would be more possibilities of failure.

i agree, but still ieven if they dont do it themselves, they shoud still be aware that in cases like this a pgp signature doent always mean it's the owner signing

[Odin80]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

What happens if someone copy/pastes your original post in a text editor and ammends the message while keeping your signature in place. Like I just did. How does this prove anything?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJSabqRAAoJEMoidm4gJNM+AQsP/jWoCFN98ROa1bAhjGkHkV5e
6fJzNrW3/N/Mm17d5/nvMIDxs8kmYnrbENX7XU0zGrkpXkix8DFF1ooL8fBv4P13
zkv6jnzogze3OK7gV+RxgAJmpOB/gsMPmM9ehLt5skTZxKtsyeUG4VPToG8199Du
YreJnLqvb8YVk3fkmT2593dAVvdMe20y4cVgSlvAKlNyD532d0kq/2O8tk83K+BD
Lb0MMOyPj2IpK/O+bXbtaZ4yDZfeTJ

[Yoda]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

What happens if someone copy/pastes your original post in a text editor and ammends the message while keeping your signature in place. Like I just did. How does this prove anything?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJSabqRAAoJEMoidm4gJNM+AQsP/jWoCFN98ROa1bAhjGkHkV5e
6fJzNrW3/N/Mm17d5/nvMIDxs8kmYnrbENX7XU0zGrkpXkix8DFF1ooL8fBv4P13
zkv6jnzogze3OK7gV+RxgAJmpOB/gsMPmM9ehLt5skTZxKtsyeUG4VPToG8199Du
YreJnLqvb8YVk3fkmT2593dAVvdMe20y4cVgSlvAKlNyD532d0kq/2O8tk83K+BD
Lb0MMOyPj2IpK/O+bXbtaZ4yDZfeTJ

When checked, the signature will be invalid.  Hence the point of signing... to validate. 

[kok]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

What happens if someone copy/pastes your original post in a text editor and ammends the message while keeping your signature in place. Like I just did. How does this prove anything?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJSabqRAAoJEMoidm4gJNM+AQsP/jWoCFN98ROa1bAhjGkHkV5e
6fJzNrW3/N/Mm17d5/nvMIDxs8kmYnrbENX7XU0zGrkpXkix8DFF1ooL8fBv4P13
zkv6jnzogze3OK7gV+RxgAJmpOB/gsMPmM9ehLt5skTZxKtsyeUG4VPToG8199Du
YreJnLqvb8YVk3fkmT2593dAVvdMe20y4cVgSlvAKlNyD532d0kq/2O8tk83K+BD
Lb0MMOyPj2IpK/O+bXbtaZ4yDZfeTJ

Roughly speaking, RSA signatures are public key encryption in reverse. When you sign a message, first a hash value of the message is taken. Then you encrypt that value with your private key. With RSA, anything encrypted with one half of a keypair can be decrypted with the other half. So when someone verifies your signature, first they take the hash value of the signed message. Then they decrypt the signature with your public key, and then they compare the plaintext with the hash they took of the message. If the two match the signature is validated. Since only you have your private key, only you can encrypt anything with it. Nobody else knows how to make a ciphertext that decrypts into the hash of a message you signed, because nobody else has your private key. Since you changed the message, the hash value of the message will be different. When I take the hash value of this message and compare it to the plaintext signature, which I can get by decrypting the signature with the public key of the person who posted it, they are not going to match up.

[AnTa2f6y]

when i verify dprs sig it works fine but the status says BAD in red writing can anyone tell me why that happens? i imported pub key and the pasted sig in clipboard and verified. it tells me it is dpr but the red bad sign is a wonder to me.
any clarification would be great
thanks

[Yoda]

when i verify dprs sig it works fine but the status says BAD in red writing can anyone tell me why that happens? i imported pub key and the pasted sig in clipboard and verified. it tells me it is dpr but the red bad sign is a wonder to me.
any clarification would be great
thanks

I'm thinking if you sign the key (a different kind of sign), you won't get that error.  You have to verify that his key is his... like your personal key has Ultimate Trust/validity, yet random public keys just imported have no trust/validity yet until you give it some. 

[AnTa2f6y]

when i verify dprs sig it works fine but the status says BAD in red writing can anyone tell me why that happens? i imported pub key and the pasted sig in clipboard and verified. it tells me it is dpr but the red bad sign is a wonder to me.
any clarification would be great
thanks

I'm thinking if you sign the key (a different kind of sign), you won't get that error.  You have to verify that his key is his... like your personal key has Ultimate Trust/validity, yet random public keys just imported have no trust/validity yet until you give it some.

bang on its fine now thanks for clearing that up for me