Sept 2006 GPG Key Verification

From LILUG

These are the instructions on how to verify that your key which you sent to Jeff Sipek is correct

• Download the key list

You should get the HTML list of keys that Jeff Sipek prepared. Download this to your PC.

• Verify the hash for the key list file

Run the sha1sum command to check the hash for this file

Use this command from your shell prompt:

 $ sha1sum list.html

You should see the following result:

 7f1cb0e26393731a422d24cd45332df24e633263  list.html

This guarantees that you have the same file that Jeff is distributing.

• Verify your own key information

Verify that your information in the file is correct. For example, if you view the file, it says that Jeff's keyid is C7958FFE, and that his finger print is A076 18A7 50A8 31C1 D1BF B126 C053 F4FA C795.

Jeff would run this quick gpg command to see what the correct information is, from his own key:

 $ gpg --fingerprint josef

The result of this command when Jeff ran it was:

 pub   1024D/C7958FFE 2003-05-14
       Key fingerprint = A076 18A7 50A8 31C1 D1BF  B126 C053 F4FA C795 8FFE
 uid                  Josef Sipek (Jeff) <jeffpc@josefsipek.net>
 sub   2048g/B01A7831 2003-05-14

The first 2 lines of the output show that the key file info for Jeff's key matches his actual key.

• Verify your own key information

The public keys are also available. However, do not sign anything until after the meeting.

To verify the hash of the key file:

 $ sha1sum list.keys
 61210adc94d852b95b6330bd43861add3625a763  list.keys

• Problems?

Send email to Jeff. This is especially true if you find something wrong with the data!