How to Verify Signatures
As a researcher, I’m obsessed with the need to verify everything. This desire extends to and includes half-formed thoughts and cases. For this reason, every post (including this one) on this site is automatically signed using The Grave Hunters Society GnuPG key. Digital signatures provide several things:
- It verifies that the content on the site originated from The Grave Hunters Society.
- It confirms the date that the material was posted. (This is in combination with Timestamp Authorities, for legal verifications.)
- It frees researchers to post more frequently, unconcerned about having to protect historical findings since these can be traced to a particular source and time.
I’m not going to lie, the use of signatures may be a bit esoteric, but for those who would like to use them, the process is roughly below:
- Download the public key from here, the page of the file you would like to verify, or a public keyserver. (You should only have to do this and the following step, one time)
- Import this key into your gpg keychain with
gpg --import {key-file}
- After the publc key is imported, you can verify any file by downloading the original file and the signature file.
- Verify the sha512 of the file to make sure it is the file you believe it to be, and that it downloaded completely with no corruption
if [ $(sha512sum {file} | awk '{print $1}') = {SHA512} ]; then echo "ok"; else echo "sha does not match"; fi
So, you would end up with something like this
if [ $(sha512sum myfile.md | awk '{print $1}') = 6ac9809fe25709eb516a90abe8d936afc3b2a0fa2823884048d351ba88a9a916ef1a2574d9652c3fc29057533121c9c28446d6abf6b90dd68dee65c18cd5deb8 ]; then echo "ok"; else echo "sha does not match"; fi
- Once you’re certain you have the correct files, you can verify that they were signed using The Grave Hunters Society private key by using
gpg --verify {signature_file} {original_file}