Skip to content

How can I tell if something is legitimate?

Let’s take an example PGP signed message, which looks something like this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[ contents removed ]

-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEkcGstmVmOeuM+MRGA3a9R9uUkPMFAl/KwcUACgkQA3a9R9uU
kPPUCw//dVcbHNNL0eAUtmC5TjEm9+6Jl6N9Osy414T3OSEmNuxFRVu6v5WqNRZ4
FtQBtoVlmkRNAQRhNUXZ3XYdIM2zN13nnZHkcci8G+UpnU16eQrq2l6+RjhEddxj
X3UQ9By9xv/yD2AMZUxDL4GOqcLlEv/Uls+bp6AFb6iVhN6Ek9Ipy78QWrY6+hzy
zOvu9lMiHRmdH6WKNKoTXi4kUf6DAEvHp2Mbjuzp4srZwJoDjpO4WY+3x2j/MWBD
7SKEietDSiZIOwhwMt+L6ONf+MdzHD4Lxq1ovei3VAMmwXDAmYXQQmM5SJZy9PqD
fdHSPA6eX3vFiKTbei+e8lGLhETNaZ2PFDB6mDmNqSWmviVPFSxTbgTAare/xQV6
TE8vNHFicNRVV/GUw6ow4MCFxc0hNE+etaO+rmKBWcHUp8fNJM8VDxyiwQnf0pbl
qeJxwlDBqxMKQTNT91GjaxvmGlz7XTNMHaUM64r+knNHmhvQ3pBRTBkSBRsoBRvP
WTdDkuUbjzM0s8lJW3HIhazVuktxdBU4zk/KRXdRtjMhehrBYiO3q6eBJprE35vC
aEatv2/4UUZouGUbqvSbHe57h98/kG0/e6TLYxAc4bV3ZZto4sYrjJKnkFrUdtJ5
GaLMrgU/Xdjuz36wiv5S8vnd/JoVf32leIjd+SSj4YV2zpatR/4=
=l39a
-----END PGP SIGNATURE-----

How is a legitimate message presented?

*** PGP SIGNATURE VERIFICATION ***
*** Status:   Good Signature
*** Signer:   Adrian P Wilkinson [Puffin Industries] <[email protected]> (0xDB9490F3)
*** Signed:   04/12/2020 23:09:57
*** Verified: 05/12/2020 12:10:18
*** BEGIN PGP VERIFIED MESSAGE ***

[ contents removed ]

*** END PGP VERIFIED MESSAGE ***

So how do I spot a fake?

*** PGP SIGNATURE VERIFICATION ***
*** Status:   Bad Signature
*** Alert:    Signature did not verify. Message has been altered.
*** Signer:   Adrian P Wilkinson [Puffin Industries] <[email protected]> (0xDB9490F3)
*** Signed:   04/12/2020 23:09:57
*** Verified: 05/12/2020 12:06:40
*** BEGIN PGP VERIFIED MESSAGE ***

[ contents removed ]

*** END PGP VERIFIED MESSAGE ***

How has my message “been altered”?

You’re going to have to contact the sender via alternate means and check with them directly, however it may simply be that during the course of transmission one of the servers processing the message made a minor change that voided it.

2 Comments

  1. GPG / PGP Keys for Adrian P Wilkinson – Puffin Industries
    05/12/2020 @ 12:32

    […] I have provided examples of good and bad verificiation results, which can be found here. […]

  2. 2020-12-04 – Electronic Proof of Life (Case # HQ14C04961) – Puffin Industries
    09/12/2020 @ 12:52

    […] Example Good & Bad PGP Signatures […]