So today I’m doing my monthly warrant canary update, which simply states that I’ve not received any government requests for information about people who have attended my workshops or visited my website (that last part would be especially difficult for the feds to demand — I don’t collect IP addresses or other personally identifying information about my site visitors). You’ll notice that my warrant canary message is wrapped in a PGP signature, which means that only someone in possession of my PGP secret key could have written it. PGP signatures are a useful way to show that the message was written by the intended author, and not tampered with or forged by an attacker. If someone were to gain access to my website and alter the message, the PGP output would read as invalid. I’m getting ahead of myself a bit though — I’ll show you what I mean by that in a moment. You can use a PGP signature to add a measure of security and verifiability to any message — it’s not just for warrant canaries — and I’m going to show you a simple way to do this in your console.
Please note: the full instructions here are for Unix-based systems, like OS X or GNU/Linux distributions. To make this work on a Windows machine, you’ll first need to install Cygwin to run Unix apps on Windows. The GPG package for Windows is called GPG4Win.
Incidentally, if you’d like to learn more about warrant canaries, as well as view a list of sites that publish canaries, visit EFF’s Canary Watch.
Now, on to PGP signing:
1. The first and most important step is that you must have GPGTools installed (nb: GPG and PGP are terms used interchangeably). If you’re already using PGP to encrypt your email, great, you’ve already got a keypair. If not, the best, simplest instructions I’ve seen for setting up PGP are these from the Free Software Foundation (if you get stuck, I’d love to help you set up PGP, so contact me).
2. If your keypair is all set, go ahead and open a console. On OS X, your console is called Terminal, and on GNU/Linux distributions you should find it as Xterm, terminal, Konsole, console, or something like that.
3. In the console window, you want to open your console text editor. I’m using nano, but you can use another simple command line text editor like Vi/Vim, which comes with many GNU/Linux distributions.
To run nano, type
…then hit enter. nano will open with a new interface.
4. Type out the text you want in your PGP-signed message. Since I’m making my warrant canary message here, I am going to type: “We have not been contacted by any government agencies requesting information about our workshop attendees or website visitors.”
5. Save the newly created file by holding “control” and the letter “O” at the same time.
6. nano will prompt you to name your file (you should see a line “File name to write”). I am naming my file “canary.txt”. Hit enter.
7. Hold down “control” and “X” to quit nano. Type “y” to say yes to saving. Hit enter. This will bring you back to your original terminal window.
cat [the name of your file from earlier]
…and hit enter. Mine looks like “cat canary.txt”. This will display the text of your newly created canary file. Make sure it looks good! If so, you’re ready to sign it.
gpg --clearsign [the name of your file from earlier]
Mine looks like “gpg –clearsign canary.txt” (note — the formatting here is wrong. The plain text dashes above are what you should be typing into your console. That’s why I put the above in its own plain-text block.)
10. Enter your PGP password to unlock your secret key. Once you’ve entered it, you should see a new terminal line that ends in $.
11. Now type
cat [the name of your file from earlier].asc
Mine looks like “cat canary.txt.asc”. This will display the newly signed text file. You can copy and paste this output into another medium where you want your signed text to display. Congratulations! You’ve created your PGP-signed message!
12. Test your signature by typing
gpg --verify [the name of your file.asc]
…and hitting enter. My command and output looks like this:
gpg --verify canary.txt.asc gpg: Signature made Mon Mar 9 13:52:14 2015 EDT using RSA key ID CBE83CA3 gpg: Good signature from "Alison Macrina
" [ultimate] gpg: aka "Alison Macrina " [ultimate]
Just for funsies, you should try tampering with the message in your file, then running the –verify command again. See what happens?
Thoroughly confused? Don’t cry. Contact me.