Before a deep dive into PGP signature, I will give you a promise so you can trust all my word afterward :)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I Promise that, to the best of my ability and judgement:
1. I will not produce harmful code.
2. The code that I produce will always be my best work. I will
not knowingly release code that is defective either in
behavior or structure.
3. I will produce, with each release, a quick, sure, and
repeatable proof that every element of the code works as it
should.
4. I will make frequent, small, releases so that I do not
impede the progress of others.
5. I will fearlessly and relentlessly improve the code at every
opportunity. I will never make the code worse.
6. I will do all that I can to keep the productivity of myself,
and others, as high as possible. I will do nothing that
decreases that productivity.
7. I will continuously ensure that others can cover for me, and
that I can cover for them.
8. I will produce estimates that are honest both in magnitude
and precision. I will not make promises without certainty.
9. I will never stop learning and improving my craft.
Vladimir Gaevoy,
09-05-2019
-----BEGIN PGP SIGNATURE-----
Version: Keybase OpenPGP v2.1.0
Comment: https://keybase.io/crypto
wsBcBAABCgAGBQJc1H74AAoJEPPkiuEV4D5x7p0H/2HiVzubj0S/omJUi3O5xAiM
kXEjSDy0Q2qRfkRFbp+zI0YuhI9A4qULEGGGvEH7zS3Dp1WuwHfSIrAgoXNcu3zX
/dDrsCd6RkQdltjfinTxneCTgiXv47ho8qBj9w9uM+tYC1+N6kxOS3KGrFAJfQL7
pkrblWvkNmu3v7CtcZagWi2nU96ng9A4g5vMuoxcbCGuhcKVCZv1btLHRvxWHGIS
gy9Tjz68e1/Ep95dgYolvMIwGPhAEqNnXxs/3zu6jkfFASyIcUNAFbUa5i6Rf+2d
Ffl55qDidR3Hd7qOGZpSJ/5m3hGReQsaqBE901NTV7DR7Bn+ICx7f9YZwR9TJQs=
=zjPT
-----END PGP SIGNATURE-----
Traditional handwritten signature sucks. It can be easily forged. The signed text can be changed. In order to verify that signature is legitimate, you have to know how it looks like otherwise, it is pretty hard to figure out.
Above, I signed my promise digitally by PGP almost the same way as I do a traditional handwritten signature. In order to sign I used Keybase, it can produce a PGP signature.
A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very strong reason to believe that the message was created by a known sender, and that the message was not altered in transit — Wikipedia
Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications — Wikipedia
Despite theory about PGP signature, I do not understand a couple of things. What data is encoded inside those strange chars? Is it possible to reduce the size of the signature? Let’s figure out.
What is inside PGP signature
Thanks to open source, I can decode any PGP message. cirw.in/gpg-decoder/ is perfect tool for me. And that’s what’s inside.
Obviously, there is a digital signature. But additionally there are:
publicKeyAlgorithm- the name of algorithm that produced the signature, in my caseRSA.hashAlgorithm- the name of algorithm that was used to hash text before signature, in my caseSHA512. Wait a minute, I already have seen it just after-----BEGIN PGP SIGNED MESSAGE-----. The answer is “Hash:” header can be considered as a remnant of older times.creationTime- the date when signature has been created. The field is also signed so it is trustworthy (if you trust the signer).keyId- ID of the key that signed the text, in my casef3e48ae115e03e71. In order to verify the signature, the public key can be downloaded from Keybase via Keybase API. Moreover,Keybaseprovides complete information about the owner of the key via Keybase API, so anyone can prove that the signer is legitimate, looking to the connected entities.
Removing PGP signature redundancy
It is interesting what parts can be removed. I don’t expect to be compatible with PGP standard after that. However, the reduced version should be convertible back to the original. One more open source tool will help me to prototype. Greet, CyberChef!
Here are my CyberChef recipes. 2 things are removed which are not required:
- Header at the beginning.
- CRC checksum at the end.
Until now it still remains to be valid PGP signature. However, we can remove the rest of noise to get eventually this:
I Promise that, to the best of my ability and judgement:
1. I will not produce harmful code.
2. The code that I produce will always be my best work. I will
not knowingly release code that is defective either in
behavior or structure.
3. I will produce, with each release, a quick, sure, and
repeatable proof that every element of the code works as it
should.
4. I will make frequent, small, releases so that I do not
impede the progress of others.
5. I will fearlessly and relentlessly improve the code at every
opportunity. I will never make the code worse.
6. I will do all that I can to keep the productivity of myself,
and others, as high as possible. I will do nothing that
decreases that productivity.
7. I will continuously ensure that others can cover for me, and
that I can cover for them.
8. I will produce estimates that are honest both in magnitude
and precision. I will not make promises without certainty.
9. I will never stop learning and improving my craft.
Vladimir Gaevoy,
09-05-2019
https://imaginary.service/signature/wsBcBAABCgAGBQJc1H74AAoJEPPkiuEV4D5x7p0H_2HiVzubj0S_omJUi3O5xAiMkXEjSDy0Q2qRfkRFbp-zI0YuhI9A4qULEGGGvEH7zS3Dp1WuwHfSIrAgoXNcu3zX_dDrsCd6RkQdltjfinTxneCTgiXv47ho8qBj9w9uM-tYC1-N6kxOS3KGrFAJfQL7pkrblWvkNmu3v7CtcZagWi2nU96ng9A4g5vMuoxcbCGuhcKVCZv1btLHRvxWHGISgy9Tjz68e1_Ep95dgYolvMIwGPhAEqNnXxs_3zu6jkfFASyIcUNAFbUa5i6Rf-2dFfl55qDidR3Hd7qOGZpSJ_5m3hGReQsaqBE901NTV7DR7Bn-ICx7f9YZwR9TJQs
I can imagine how this representation of PGP signature simplify usability for both none technical users and for technical geeks. They just need to click the link and imaginary.service will do the rest dirty work: explain, verify, show details about signer and signature. By the way, QR Code can be a representation of PGP signature too:
So cool to realize what is encoded inside this QR code!