Stratos Gerakakis

Verifying my email signatures

Mar 8 2017

After a funky incident many years ago, when a collaborator in a European project (at a point where we were having an argument) decided to circulate one of my emails, after editing it to his liking, all my bussiness emails are now electronically signed.

My emails end up being a little more “dirtier”, with all the PGP headers and footers, but this comes at a very small inconvenience (at least to me) considering that all my email correspondance is now tamperproof.

I do get the occasional question though (apart from the complains that my emails look funny) on how to actually check that a given email is valid and the contents have not be altered.

Here are two ways on how to verify, that an email was indeed sent by me and that the contents have not been altered.

Note: What follows is going to mess with your head. PGP encryption and signing is not meant to be used by everyday people. I’ll try my best to give a gentle overview, but still, it will be messy!

Format of signed emails

The format of the emails always have the following pattern:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

This is my email.

- --
Stratos Gerakakis
Senior Software Engineer

Planetek Hellas
44 Kifisias Avenue,  Athens Space Cluster
Building C, 15125 Marousi, Athens, Greece
Tel +34 918 131 442 - Mob +34 684 124 497
gerakakis@planetek.gr  –  www.planetek.gr

== https://keybase.io/stratosgerakakis ==

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEETENGmDUJ68gM1ayY/6ikKBcYr8cFAljAcJgACgkQ/6ikKBcY
r8eQ+Af7B47OgqQJi171uMT/tndZHO8KzeGrQLUF6f8GwyrZ3Zcn2qIirOOsE5lD
QtbTxIkwW4iAAFygwUoG4nOXLlDI2emJAVxksdxsTsSo+vTi99DcbDVN9Tm1SiW1
//CEL8ciHrl9SJJSCWp2hLcQn21rUKsiCzAMVF1SHMHeWUc2roYSmmBzJyver0ph
YBhr0SdBzfcc+HBv0EBRURUypCtEf6Kci/D3/Zublg0m9qbg4p684IUnOvC7bjmQ
qpy6D1o7OkoKeKiGFMZSqsW3DvVvyXG37FzJZK7LBsmQBMR64IOLjv/n+dNTIZ20
F/IOd5lKZlytdI2bxIHq2Zt4leXtmQ==
=n7Pn
-----END PGP SIGNATURE-----

They always start with a -----BEGIN PGP SIGNED MESSAGE----- string and they end with a -----END PGP SIGNATURE-----

Save a file with these exact contents, including the PGP header and footer strings, into a file, let’s say /tmp/message.gpg

The following instructions assume that you use a real operating system and that you have access to a capable command line shell.

Verifying with GnuPG

You will need to have the GnuPG package installed.

You will more likely need to have my public key to verify my signature and the easiest way to get it would be with:

curl https://keybase.io/stratosgerakakis/pgp_keys.asc | gpg --import

The basic command to verify the email signature is:

gpg --verify /tmp/message.gpg

You should be getting an output like:

$ gpg --verify /tmp/message.gpg
gpg: Signature made Wed Mar  8 20:59:04 2017 UTC using RSA key ID 1718AFC7
gpg: Good signature from "Stratos Gerakakis <gerakakis@planetek.gr>"
gpg:                 aka "[jpeg image of size 22170]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4C43 4698 3509 EBC8 0CD5  AC98 FFA8 A428 1718 AFC7

The WARNING that gpg is displaying, is because of the inherent lack of trust of my public key that you just imported. Is it really my public key that you downloaded before? Unless you personally verify with me that this is indeed my key, gpg will always warn you that this is not a trusted key.

You could sign my key, implying that you trust it, and make the warning go away, but that will mean that you already have your own set of private and public keys, and at this point I’m not going to turn this into a full gpg tutorial.

The important thing, so far, is the line above that reads Good signature from "Stratos Gerakakis <gerakakis@planetek.gr>"

If the message was tampered (try editing the /tmp/message.gpg file) then the response you would get would be something like:

$ gpg --verify /tmp/message.gpg
gpg: Signature made Wed Mar  8 20:59:04 2017 UTC using RSA key ID 1718AFC7
gpg: BAD signature from "Stratos Gerakakis <gerakakis@planetek.gr>"

If you had not imported my public key, as we did in the first step, then you would be getting something like:

$ gpg --verify /tmp/message.gpg
gpg: Signature made Wed Mar  8 20:59:04 2017 UTC using RSA key ID 1718AFC7
gpg: Can't check signature: public key not found

Verifying with keybase

Keybase is a nice utility/service that encapsulates a lot of this raw encryption/signing black magic into an easier workflow. It also allows you to verify your self and establish a level of trust that the keys that you claim are yours are indeed yours and that you are who you claim to be. Yes, this thing with the web of trust is very paranoid…

You will need to have the keybase binaries installed from their website in order to follow through.

Once you do, then:

$ keybase pgp pull stratosgerakakis

will pull my public key, and:

$ keybase gpg verify -i /tmp/message.gpg
Signature verified. Signed by stratosgerakakis 2 hours ago (2017-03-08 20:59:04 +0000 UTC).
PGP Fingerprint: 4c4346983509ebc80cd5ac98ffa8a4281718afc7.

will verify that the email message is intact.

Keybase is also doing a lot of other interesting stuff and it’s worth checking it out, if you’re into that short of thing.

Automatic ways to validate email signatures

Obviously you are not meant to go through the whole procedure for all the emails. Your emailer program should be able to help verify the signatures of the emails, through the help of certain extensions/helper utilities.

Once again this is not a full tutorial on how to setup your email program (I don’t even know what program you’re using) but here is a list of programs that have capabilities to encrypt and verify emails:

Yes, unfortunately nothing in this worklfow is straightforward and it’s a big mess, requiring a lot research and field specific knowledge to understand it all. And by no means I do not claim to be an expert on any of these!

Good luck!

Moving to Arch

Aug 22 2014

Well the time to move-on has finally come.

After being a faithfull Ubuntu user since Warty Warthog, Ubuntu 4.10 back in 2004, (wow, already a decade ago) it is time to move on.

There are multiple online posts complaining about the direction Ubuntu has taken over the last years, but I’ll just quickly state my own reasons.

  • Tired of constantly upgrading the system every six months. Although considerable effort is being taken to provide smooth upgrades, usually the procedure to upgrade a system takes the better part of a day. That is, if everything goes well. After almost 20 upgrades I had some gone awry on me, which really adds to the burden of updating the system. And that’s only for one system. Multiply that be 5-6 times, for all my servers, desktops, laptops and the amount of work really adds up.

  • Ever since the move to Unity (which I don’t like at all) I have been using Gnome3. With Ubuntu I am forced to stay a couple of version behind, since the repositories do not include the latest version. Some thing with other packages that do not have the latest versions updated in the repos.

  • In the last two or three Ubuntu releases I get a lot of “Sorry, Ubuntu has experienced an internal error” popups that are really annoying. Same hardware, same settings but a lot of these errors. And very vague descriptions of what went wrong.

So I decide it is time to move to another distro. Reading many nice things online about Arch and after trying it in a Virtualbox machine I decided to take the plunge. I took a shortcut though, and installed Antergos which is a very nicely packaged version of Arch with a gui installer that automatically installs a Desktop Environemnt for you. All done in the Arch way so the end result is well documented.

More posts as the time passes by…

Left Hand Of Darkness

Aug 10 2014

Winter is an Earth-like planet with two major differences: conditions are semi artic even at the warmest time of the year, and the inhabitants are all of the same sex. Tucked away in a remote corner of the universe, they have no knowledge of space travel or of life beyond their own world. And when a strange envoy from space brings news of a vast coalition of planets which they are invited to join, he is met with fear, mistrust and disbelief.

(From the book’s back cover)

I barely had enough patience to finish this book. I wonder how come it got both the Nebula and the Hugo awards.

What was so special about the a single man trying to convince a newly discovered planet to join the Ekoumen (from the Greek word “οικουμένη”)? It could have been vastly more interesting, but the pace and the subject matter of the character conversations were a complete turn off for me. I couldn’t wait for the book to finish. Good thing it was a short one.

If you want a nice Ursulla Le Guin book, you’re better off with the “Earthsea Trilogy”.

Mysql Bindings in Django

Dec 25 2011

In order to correctly install mysql bindings in a Django virtualenv you need:

First install some Ubuntu dependencies::

$ sudo aptitude install build-essential python-mysqldb libmysqlclient-dev

Then create the virtual env and install the python packages::

$ virtualenv --no-site-packages --distribute myVirtualEnv
$ pip install -E myVirtualEnv Django
$ pip install -E myVirtualEnv mysql-python

I was missing the libmysqlclient-dev package and I was getting a EnvironmentError: mysql_config not found when running the pip install mysql-python.