On Data Integrity
Digital Signatures Provide Security
In high school I read 1984 by George Orwell. You may remember that in this novel Winston Smith was employed to burn old newspapers. This was done in order to help support the ruling parties changing interpretation of events, if not to outright change the historical record. George Orwell could not have known about the digital way that information is preserved today.
Imagine what a current day Winston Smith would look like. This hypothetical Winston Smith wouldn't really need to burn anything. Simply altering the stored copies of data could drastically change people's perceptions. Just last week a librarian though it was odd that I was looking up something that wasn't digitally available. I could be very sure that the copy on the library shelf was the copy that the author intended. It would be nice if as much or more certainty could be provided for digital documents.
In fact it is possible to have a high degree of certainty that data has not changed. A digital signature provides mechanism to determine if information has changed. Once a document is signed then changing the document will invalidate the signature. It's also very difficult for anyone but the signing party to forge a signature. More difficult, in fact, than forging a handwritten signature.
There are other ways of preserving the integrity of data. The paper of Satoshi Nakamoto is perhaps one of the best digitally preserved documents. Blockchair provides a whole page that monitors this paper as hosted on several sites. They advertise the hash of the file and periodically check that it hasn't changed. There is also a copy included on the bitcoin blockchain. Embedding the document in the chain ensures the data haven't changed however it could be the case that a false copy was buried long ago. Digital signatures provide the advantage that the signer can first do their diligence and be reasonably certain that they're singing the correct copy.
As I have high certainty that I am hosting the original version of Satoshi Nakamoto's paper, I have signed this document.
Use Linux to Check the Signature
If you don't have a linux computer you should get one. Most linux installs
come with Gnu Privacy Guard gpg
which is software that implements the
PGP (Pretty Good Privacy) protocol.
To check the signature we will need three files. You can right click the
links to download them.
Darren's Public Key (darren_tapp_public_key.pub)
The File We Want to Check (bitcoin.pdf)
The Signature (bitcoin.sig)
Download all three files and put them in the same directory. I
made a fresh directory so that it's less cluttered. The command ls
lists all the files
That's good, all three files are there. Now I import Darren's public key.
gpg-import-bitcoin-sig.sh (Source)
$gpg --import darren_tapp_public_key.pub
When you start typing the file name, most likely, you can press tab to auto-complete.
The picture above is the response to this command. I used a fresh gpg install and there was a warning about it being a fresh run. This warning is not serious. It's only important if we were expecting gpg to manage our trust. Finally, we can verify the signature.
gpg-verify-bitcoin-sig.sh (Source)
$gpg --verify bitcoin.sig bitcoin.pdf
Use the --verify
flag and type the file with the signature and the
file that we want to verify.
In this example we have verified a detached signature. That's when the signature is separate from the file. It's also possible to have a signature as part of the file or message.
Again the display shows a warning. If we informed gpg that we trusted my key that warning will go away.