How to Verify Signatures

As a researcher, I’m obsessed with the need to verify everything. This desire extends to and includes half-formed thoughts and cases. For this reason, every post (including this one) on this site is automatically signed using The Grave Hunters Society GnuPG key. Digital signatures provide several things:

  1. It verifies that the content on the site originated from The Grave Hunters Society.
  2. It confirms the date that the material was posted. (This is in combination with Timestamp Authorities, for legal verifications.)
  3. It frees researchers to post more frequently, unconcerned about having to protect historical findings since these can be traced to a particular source and time.

I’m not going to lie, the use of signatures may be a bit esoteric, but for those who would like to use them, the process is roughly below:

  1. Download the public key from here, the page of the file you would like to verify, or a public keyserver. (You should only have to do this and the following step, one time)
  2. Import this key into your gpg keychain with
gpg --import {key-file}
  1. After the publc key is imported, you can verify any file by downloading the original file and the signature file.
  2. Verify the sha512 of the file to make sure it is the file you believe it to be, and that it downloaded completely with no corruption
if [ $(sha512sum {file} | awk '{print $1}') = {SHA512} ]; then echo "ok"; else echo "sha does not match"; fi

So, you would end up with something like this

if [ $(sha512sum myfile.md | awk '{print $1}') = 6ac9809fe25709eb516a90abe8d936afc3b2a0fa2823884048d351ba88a9a916ef1a2574d9652c3fc29057533121c9c28446d6abf6b90dd68dee65c18cd5deb8 ]; then echo "ok"; else echo "sha does not match"; fi
  1. Once you’re certain you have the correct files, you can verify that they were signed using The Grave Hunters Society private key by using
gpg --verify {signature_file} {original_file}