============================================================ MINI-HOWTO VERIFY MY CV & RESUME'S ELECTRONIC GPG SIGNATURES ============================================================ - [ kjs@zen-mode.com, 2018-02-07, version 1.4 ] ------------ To verify my CV & RESUME's electronic signatures you'll need: (a) A working GPG installation (b) My public PGP key (c) My PDF + .asc files (d) And to execute some shell commands... In capable hands and using a good computing environment this should not take more than a couple of minutes. Kind regards, Kristoffer Sederlöf a. Install GnuPG (https://gnupg.org) (open source PGP, Pretty Good Privacy) --------------------------------------------------------------------------- Debian based systems: $ sudo apt-get install gnupg Fedora based systems: $ sudo yum install gnupg MacOS: * https://gpgtools.org/ Windows: * https://ssd.eff.org/en/module/how-use-pgp-windows * https://www.techrepublic.com/blog/it-security/using-gnupg-encryption-tools-with-gpg4win/ b. Fetch my public GPG (PGP) key -------------------------------- $ gpg --keyserver hkp://keys.gnupg.net --search-keys 4380217C # select 1 Or via a file: $ wget https://zen-mode.com/~kjs/pgp/kjs_pubkey_ver-1.asc $ gpg --import kjs_pubkey_ver-1.asc Next, verify that you got the right key. My current fingerprint is: 5D16 B9D6 2EB3 491E C778 E8A9 4D38 F5C1 4380 217C Example: $ gpg --fingerprint kjs@zen-mode.com pub 4096R/4380217C 2017-02-07 [expires: 2019-02-07] Key fingerprint = 5D16 B9D6 2EB3 491E C778 E8A9 4D38 F5C1 4380 217C uid Kristoffer Sederlof uid Kristoffer J. Sederlof sub 4096R/FE0638FE 2017-02-07 [expires: 2019-02-07] c. Download my CV & RESUME (plus related files) ----------------------------------------------- - Download my CV & RESUME files (plus signature + checksum files) via manually right-click and selecting "Save as..." - Or grab them all "in one go" via downloading my combo zip-files $ wget https://zen-mode.com/~kjs/cv/kjs_cv_and_resume.zip $ unzip kjs_cv_and_resume.zip $ cd cv/ d. Verify the PDF files using the .asc files (armoured & detached GPG signature files) -------------------------------------------------------------------------------------- Verifying a armoured & detached GPG signature + target file: $ gpg --verify FILE.asc FILE Example (should return "Good signature..."): $ gpg --verify kjs_cv.pdf.asc kjs_cv.pdf gpg: Signature made Wed 24 Jan 2018 11:42:35 AM EET using RSA key ID 4380217C gpg: Good signature from "Kristoffer Sederlof " gpg: aka "Kristoffer J. Sederlof " $ gpg --verify kjs_resume.pdf.asc kjs_resume.pdf gpg: Signature made Wed 24 Jan 2018 11:42:43 AM EET using RSA key ID 4380217C gpg: Good signature from "Kristoffer Sederlof " gpg: aka "Kristoffer J. Sederlof " You can also check for download problems via the sha256 checkum files: $ sha256sum -c kjs_resume.pdf.sha256 kjs_resume.pdf: OK $ sha256sum -c kjs_cv.pdf.sha256 kjs_cv.pdf: OK --------------------------------------- EXAMPLES OF BAD SIGNATURES OR CHECKSUMS --------------------------------------- Unwanted changes to signature and/or PDF files: $ gpg --verify kjs_cv.pdf.asc kjs_cv.pdf gpg: Signature made Wed 24 Jan 2018 12:39:13 PM EET using RSA key ID 4380217C gpg: BAD signature from "Kristoffer Sederlof " Unwanted changes to PDF file: $ sha256sum -c kjs_cv.pdf.sha256 kjs_cv.pdf: FAILED sha256sum: WARNING: 1 computed checksum did NOT match