I saw that people on the dark web would sign their posts with a PGP key to prove that their account has not been compromised. I think I understand the concept of how private and public keys work but I must be missing something because I don’t see how it proves anything.

I created a key and ran gpg --export --armor fizz@… and I ran that twice and both blocks were identical. If I posted my public key block couldn’t someone copy and paste that under their message and claim to be me?

  • TauZero
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    To help you with the terminology, the names for the two operations are “signing” and “verifying”. That’s it.

    What can you do with…

    public key private key
    Encryption: encrypt decrypt
    Signature: verify sign

    “Signing” is not at all the same as “encrypting” with the keys swapped. It is a separate specific sequence of mathematical operations you perform to combine two numbers (the private key and the message) to produce a third - the signature. Signing is not called “hashing”. A hash may be involved as part of the signature process, but it is not strictly necessary. It makes the “message” number smaller, but the algorithm can sign the full message without hashing it first, will just require computation for longer time. “Hash-verifying” isn’t a thing in this context, you made that name up, just use “verify”.

    @dohpaz42 is mad because you messed up your terminology originally, and thought you were trying to say that you “encrypt” a message with the private key, which is totally backwards and wrong. He didn’t know that in your mind you thought you were talking about “signing” the message. Because honestly no one could have known that.