Silk Road forums
Discussion => Security => Topic started by: febrileinvective on November 06, 2012, 03:12 pm
-
Hi all - some quick help/advice required, please
One of the vendors has a PGP key listed as shown below. It appears to have a signature and a public key as separate items
My question is:
When importing into GPG4Win, in order to encrypt a message to the vendor, do I import the entire block, from the BEGIN PGP SIGNED MESSAGE, through to END PGP SIGNATURE OR should I just import the public key block, beginning ---BEGIN PGP PUBLIC KEY BLOCK---- and ending END PUBLIC KEY BLOCK?
Any help/advice much appreciated
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)
mQENBFA0RAwBCADgB2OUJva+L96u4k/qIB5TH7LXWV57hixVURF5anJr3bU3YW9g
FWRVcv6ZBhAdidfPFuri/jHHUFtIGcyd/Vm3TAbDc2wPLzfl25ovi7+a5nYky+T5
4uKt+SdT/yUVOswFWPRVeTVZ0MofYGTiGoY9cEBHihWUvTtvaUFrs5I0xozSY2om
DOTsVDFd7QF1WTgYhUn8Bzp4oEc5XAMr1q4yY/xGHnVobaEjMEMa2b1eNPWlFjzC
jLX0b+Y/XEjIiQLaTMlyiCisif12VlpqRlvn0mFEPao16arqY6v7A5sSCgNBDfbu
0km4rT3zcudqf1N7DK5aC8sQvI9ZV5h3YJV/ABEBAAG0KW5vc3RpY2tzbm9zZWVk
cyA8bm9zdGlja3Nub3NlZWRzQHRvci5vcmc+iQE4BBMBAgAiBQJQNEQMAhsDBgsJ
CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRC7azhxQxq7hIffCADWSun+wUH1Yvm3
YVM3qc6liJCM6BUJmCs4nnEB1Mcs41Z3HgG5/5Fpsf5UKvQp9R38Gz5W/TXKBWN6
EYOtun00HA5n/P8yJTC7dPetXvaA1rO/MrD5YAzq1comMD+m8vsiDqRZwGXq0ntj
InkoU5X2T4qX09PTslETP+ftvddaAoGyt2oghmPDKSGOyoS/woB8Cr//3MyyMJc1
d0+VC6sHZzBF6yROt/hFIbB7ct4FDUe5eAS6JNmxQ51h90ENX5/KsX/NtvP7JCHi
DnBsuIqzqBI3QuudPeDr86cgluXnaVE4mf1xD0r01VNpkiCcH9OWNV45bWDCKPDJ
ye06+FG6uQENBFA0RAwBCACnRwblNVVmO/+tGLIdCok2HZvA3Ug6bNhlqe0hqNoH
dabLL8Z0wairAcEaTZt/AREz6a3xc3aO1ITlXgAuLD5PTfsftJF/iSuhwHWxg5fi
P9rPK6UfXl9CC8MFv3hHNurSnccGUBeDgA1HAUMkC9OmDRE9x5uZ+o/M4OUH8sXS
oNiYV85teAaYlTOvtOFLVmWUhm0LgdxEM3nW+mwlgEYaRWCzgprtH3Hv0DzS+9r1
JmC2rso9p13UZ7R8iJdhoofGKbpu2hcbTPYc5cFcyx13sWSjhHnd0iFSlvO4DZMH
sUtWWPKxhA3mbiBSp6pbARxP4TYFvZWbXaJKcVBprdTvABEBAAGJAR8EGAECAAkF
AlA0RAwCGwwACgkQu2s4cUMau4Qi4wgAvzz7MuxylUgZf8t1ejQQMKDu0PPQnTAY
2zCjMVGfw24FWwj8Wl40IRZ9eLM0rNibEVtBJhlZ7tKI6ajBP8w5mZpFS3QWypc6
2loPbENSSzeG+ZdhoXHYW2TZd+cSsCKiue5+Gasnrrdo7NeZ81cOVH+f8qkZ1p3E
0ico1OIWo2b67AwCR+qQfKmzAqzTWKZWgmqtkW9FlR8mDCNpEc7t6mRIf3pvrzFJ
vfUKFVwzHVNBJxisB0i4ENZOKyN9iR+0bNJRyU/MrIQL6Hxfb2oxDmRGQ4G4LXzK
1Dy212PRffB/9jz6Gcza9IC1WsW00qm43tiBOIhNwObEmXOq61IUVg==
=CWe5
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJQNwKlAAoJELtrOHFDGruEQ6sIAINNfL/3fwD62QEYIH6z50sa
JgbrgufT81NhIBq4FAEcE8uZbmJTRByi+T5m8TQ9oxedoronXlPYfXQt1hqCoFhn
SXfYicPxLJhiCepIJ/L6YJ2IGHnpRHgN0xLCbKwaddGJqrO3VaNZpMpPmXjYDZgz
BrRSPCcqmnXRPXtQZqT+6cdvxpVnOj0zN9djtHIxqUYKOFKcIrvatNHqgD7FHNEQ
s9z5PM9sdtdeuAftzX3644QjPLJNmjvwxmcHEi01fjH09ol18wF6VK22emQT6BjR
G+k02Iya7Z5DST/MenIcxdsqlGToLAC/j/+hsp9BO1bMu661moc6nPkHRO2dwZ8=
=rth8
-----END PGP SIGNATURE-----
-
I would try copying and pasting everything between "begin pgp public key" and "end pgp public key first". If you screw it up, you should get an error message from your pgp program anyway. Maybe someone else can chime in and clarify if I'm correct or not. Just try that and see if the encrypted message works. Shouldn't be too hard to get figured out.
-
The public key is just the part that says PUBLIC KEY BLOCK - copy paste all that into your program however you usually do.
The person who sent you that also clearsigned their message, once you import the public key into your keyring, you can verify the signature on the message. No idea how to do that on windows, I'm afraid. Command line gpg it's just:
gpg --verify /path/to/signed/file
Signing just gives you a little more assurance that the message was sent by the person you think it was. Although signing a public key block is kind of recursive.
-
hi thanks for your input both
i have tried importing both versions of the key, one including the signature and one without
both appear to be encrypting the message fine.
-
That vendor has no clue what he is doing. It is completely unnecessary to sign a public key (with that same public key). Security wise it adds absolutely nothing, and it only complicates things for newbies.
Yes, the key will import just fine because the program looks for the ---BEGIN PGP PUBLIC KEY BLOCK----- and the ---END PGP PUBLIC KEY BLOCK-----, and ignores all the rest.