How_to_verify_a_signed_article stjohn_piano Note: This page is subject to change at any time. It is not signed by the author or by Edgecase Datafeed. Note: All articles published on Edgecase Datafeed are datafeed articles and are signed by Edgecase Datafeed. A datafeed article may contain an article, a signed article, or a checkpoint article. To verify a datafeed article means to check that the GPG digital signature attached to it is mathematically valid and optionally to check its time of publication as measured by block height on the bitcoin blockchain. The most recent articles may not yet have been published on the bitcoin blockchain. Note: A signed article is signed by its author as well as by Edgecase Datafeed. The author signature is cryptographic proof of the validity of the author's claim of authorship. 1) Install GPG 1.4.x (preferably 1.4.10), if you don't already have it on your system. How to do this is beyond the scope of this recipe. 2) Check that your system has a utility for calculating the SHA256 hash of a file. If it does not, find and install one. How to do this is beyond the scope of this recipe. 3) Browse to the signed article that you wish to verify. In the Downloads menu, there should be a "Download this article" link to the original datafeed article, which is a text file. Clicking this link should cause your browser to ask you to download this text file. Make a note of the author's name e.g. "stjohn_piano". 4) Follow this recipe hyperlink /pages/how_to_verify_a_datafeed_article.txt How to verify a datafeed article to verify the Edgecase Datafeed signature on the signed article. 5) Browse to the hyperlink /pages/public_keys.txt Public Keys page on this site. On this page, there should be a download link to the public key of the article's author, which is stored in GPG base-64 format in a text file. Clicking this link should cause your browser to ask you to download this text file. 6) Create a new directory e.g. "verify_signed_article". Place the datafeed article file and the author public key file in this directory. Create another directory within this directory for use as a temporary GPG keyring e.g. "keyring_tmp". Open a commandline terminal, change directory to "verify_datafeed_article", and run the following command to set directory permissions for "keyring_tmp" to the permissions that GPG expects. A setting of 700 allows the user (you) to read/write/execute anything in the directory, but prevents any other user account on your system (e.g. another program) from doing so. $ chmod 700 keyring_tmp 7) Extract the signed article: Open the signed article file. Highlight everything between and including the first character of \ ("\<") and the last character of \ ("\>"). Copy this text. Open a new text file. Paste this text into it. Save this file in the directory "verify_signed_article" as e.g. "signed_article.txt". 8) Extract the signed article signature: In the open signed article file, highlight everything between and including the first character of \ ("\<") and the last character of \ ("\>"). Copy this text. Open a new text file. Paste this text into it. Replace "\" with "-----BEGIN PGP SIGNATURE-----" and press enter to add a new line immediately after this replacement text. Replace "\" with "-----END PGP SIGNATURE-----". Save this file in the directory "verify_signed_article" as e.g. "signed_article.sig". Close the new signed article file. Applying these changes to this example author signature: \ iQIcBAABCgAGBQJZVAS5AAoJEC8RP+HmG9MXdTwQALi2J8aHCiajjV+dTTtVws6J GECE4tSWdB7rreyOCvvxDULRtXiLY+vCtRoLI5yNk1lHRxjnCGpMYt90N7AZcQII 08IF8ixgHyibr3+CCTxzgfsqeacWdpL/VS5MyKQwj/vEDNWW/gnv+tfvTAPW00DR rOv6rJHAsJxWOewfF4YgjqLyMPYIdFlCddC4sek6F4c12zC3c8ANSza1r2tX9U9/ f32DqsyqAayOxPr7HdX90FM6c0bPxSjZ6SPNGYSt+9N0oqafh9LIGfQ3fzfMv0RE 6PhdGAXnUmTHYHhQ9A93D1tJvscxX5qPASTYSlYcwjyp/yPYED5S6knhe+No0eRo 9WJCaRPYfSrohEyCgCa837HiDI49LzDf8cvQRqDGaOAW8FMbFt3TSae0XxV8/CC5 0kaW02sHcPCfNbaeqYnRQK+3KWjjgaJZcUItWq9NKX7f4VPGtO6JjoilAtiufctg G5C/7vbmaQoPcQ3Lnu+FY3SCavSz66iX5dNx471McLfQPvntMLvjk7XNvYzZIm1o 2gTU20T7aN1/Kxg9rpjeazxJbjVk4FL/YZScveqLidzWS/vNFkZhdDWvOovvEbSc A70VAelCAMtRLPs8o9Z1fBw6aEKSFWeaL44s1/S6ApA4m+lLrdvuCO6f3w/wJvqj 1T2KMnHmqQ36jVVsWgbA =/JBI \ should result in this example GPG signature: -----BEGIN PGP SIGNATURE----- iQIcBAABCgAGBQJZVAS5AAoJEC8RP+HmG9MXdTwQALi2J8aHCiajjV+dTTtVws6J GECE4tSWdB7rreyOCvvxDULRtXiLY+vCtRoLI5yNk1lHRxjnCGpMYt90N7AZcQII 08IF8ixgHyibr3+CCTxzgfsqeacWdpL/VS5MyKQwj/vEDNWW/gnv+tfvTAPW00DR rOv6rJHAsJxWOewfF4YgjqLyMPYIdFlCddC4sek6F4c12zC3c8ANSza1r2tX9U9/ f32DqsyqAayOxPr7HdX90FM6c0bPxSjZ6SPNGYSt+9N0oqafh9LIGfQ3fzfMv0RE 6PhdGAXnUmTHYHhQ9A93D1tJvscxX5qPASTYSlYcwjyp/yPYED5S6knhe+No0eRo 9WJCaRPYfSrohEyCgCa837HiDI49LzDf8cvQRqDGaOAW8FMbFt3TSae0XxV8/CC5 0kaW02sHcPCfNbaeqYnRQK+3KWjjgaJZcUItWq9NKX7f4VPGtO6JjoilAtiufctg G5C/7vbmaQoPcQ3Lnu+FY3SCavSz66iX5dNx471McLfQPvntMLvjk7XNvYzZIm1o 2gTU20T7aN1/Kxg9rpjeazxJbjVk4FL/YZScveqLidzWS/vNFkZhdDWvOovvEbSc A70VAelCAMtRLPs8o9Z1fBw6aEKSFWeaL44s1/S6ApA4m+lLrdvuCO6f3w/wJvqj 1T2KMnHmqQ36jVVsWgbA =/JBI -----END PGP SIGNATURE----- 9) Open a commandline terminal, change directory to the directory "verify_signed_article", and run the following command, which creates a temporary GPG keyring and imports the author public key into it. Replace "stjohn_piano" with a different author name if necessary. $ gpg --no-default-keyring --keyring pubring.gpg --homedir keyring_tmp --import stjohn_piano_public_key.txt example output: gpg: keyring `keyring_tmp/secring.gpg' created gpg: keyring `keyring_tmp/pubring.gpg' created gpg: keyring_tmp/trustdb.gpg: trustdb created gpg: key E61BD317: public key "stjohn_piano" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) 10) In the open commandline terminal, run the following command, which verifies that the signature of this signed article is valid. $ gpg --no-default-keyring --keyring pubring.gpg --homedir keyring_tmp --verify signed_article.sig signed_article.txt example output: gpg: Signature made Wed Jun 28 19:34:17 2017 GMT using RSA key ID E61BD317 gpg: Good signature from "stjohn_piano" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: A69D D24E AB33 10E2 972E 6846 2F11 3FE1 E61B D317 GPG will warn you that this public key is not certified. Certification means that someone (you yourself, someone you trust, or someone trusted by someone you trust, etc) would have to meet the owner of the stjohn_piano public key, verify that they are who they claimed to be, and sign this public key using a key of their own. You would then import this signature into GPG. This signature would certify that a particular person owned this public key. I have carefully written this recipe so that you do not have to maintain a trust management system inside GPG. This limits this recipe to the intended scope (it only shows you how to verify that the signature is mathematically valid - it does not ask you to trust the author public key). This also has the advantage that this verification recipe can be automated in a straightforward manner. However, this also means that GPG will necessarily not be able to find any record within itself that the Edgecase Datafeed public key is owned by a particular person, so it will produce a warning. The important result is this line: gpg: Good signature from "stjohn_piano" which means that GPG has used stjohn_piano's public key to verify that the signature was created using stjohn_piano's private key. Note: The private key is mathematically related to the public key and can be kept secret by its holder. The public key can be published and allows another person to verify that a particular signature was made by the corresponding private key. 11) In the open commandline terminal, run the following command to find the SHA256 hash of the original datafeed article. Replace "sha256" with the appropriate command on your system. Replace "2017-06-28_edgecase_datafeed_article_1_2017-06-28_stjohn_piano_viewpoint.txt" with the filename of the datafeed article you are verifying. $ sha256 2017-06-28_edgecase_datafeed_article_1_2017-06-28_stjohn_piano_viewpoint.txt example output: e7beffdee3ef01baedba6301a5c5b0fea010e99e2484884861e5ce9866d25c7f 12) Browse to the signed article. In the Navigation menu, there should be a link to the next checkpoint in Edgecase Datafeed. Browse to the next checkpoint. Find the article description corresponding to the signed article. Compare the SHA256 hash in this article description to the SHA256 hash that you generated in the previous step. They should be identical. 13) Follow this recipe hyperlink /pages/how_to_verify_a_checkpoint_article.txt How to verify a checkpoint article to confirm that the next checkpoint was published by Edgecase Datafeed at a specific time and has not been changed since that time. Time is measured here as block height on the bitcoin blockchain. 14) Optionally, repeat the previous two steps for the previous checkpoint. 15) You have now confirmed that this signed article - was signed by its author - was published by Edgecase Datafeed at a time prior to the publication of the next checkpoint. - (optional) was published by Edgecase Datafeed at a time after the publication of the previous checkpoint. - has not been changed since the time of its publication. Time is measured here as block height on the bitcoin blockchain. An original, unaltered copy of this signed article is now in your possession.