-----BEGIN PGP SIGNED WEB-PAGE-----

The PGP "How'd You Do That?" Page

Part IIA: How Do I Check A Web Page Signature?

This part of the tutorial has to do with how to go about checking the signature on a web page if the web page has a single signature. As we discussed in Part I, it is possible that there may be a "compound" signature; that is, a signed page that is signed again, usually by a time stamping service. You might also run across a page that is signed by two authors, which would also make a compound signature. (With two embedded signatures, one is "wrapping" the other. Note this doesn't apply to detached signatures, in which you'll have two seperate signatures that verify the same page in seperate files. Check David Ross' PGP Page for a discussion of signing and verifying web pages with detached signatures.)

We'll be discussing verifying "compound" signatures in Part IIB. For now, we'll stick with the single signature. When you get that down, move on to Part IIB for the fancy stuff.
What Will You Need?

Well, for starters you need the right software.

You should have PGP v.6X (Windows95/98 or Macintosh). You can use the DOS version PGP v.2.6.X (I'll brush over it below), but you're on your own for all the command lines and flag references you'll need to use. I use it all the time, but it's a hassle to explain to anyone. If you don't have a current version of PGP, you can get it (FREE!) at http://www.pgpi.org. Come back after you get it installed and have read through the manual.

You need the public key of whoever signed the page on your PGP keyring. In this particular case, you'll need mine. You can get it off my home pages (click here) or, if you prefer, off of a keyserver in Germany ( click here). Either way, remember when you're finished to close the new window that will open.

CAUTION: If you don't know what to do to get my keys onto your keyring, you're in over your head. You should get more familiar with the basics of your PGP program before proceeding. As always, RTFM....it's in there.....

OK, ready? Let's begin. This web page is signed by me using the secret key that matches the public key you should now have on your PGP keyring.

In the case of this particular page, you can tell that it is signed by the information you will see in the yellow blocks at the top and bottom of this page. The info won't normally be in a yellow (or any other color) block, and you won't see it again in this tutorial series, but I've highlighted it this one time so you can find it easily.

To check it:

RIGHT click somewhere on this page. It should then display a number of options. One of those options is "View Source". Select that option, and the raw HTML making up this page should appear in a "Notepad" window. (NOTE: Netscape may have a different routine to get the HTML source of a page -- probably on your menu line somewhere in a submenu).

Click anywhere in the "Notepad" window ONCE to make sure that it is the "selected" window. A cursor should appear somewhere in the vicinity of where you clicked.

On the little PGP padlock that should be in your toolbar (bottom right side of the screen in most setups) click once. This should display a little menu, including an item that says "Current Window". Put your cursor on that, and a submenu will appear. Select "Decrypt & Verify".

That's it! You should now be looking at a window that says:
*** PGP Signature Status: good
*** Signer: Jim Willingham (email address)
*** Signed: (date and time)
*** Verified: (date and time)
You can also save the "Notepad" as a text (*.txt) or raw HTML file (*.htm, *.html) and check it that way.

In the "Notepad" window, go to "File/Save As" and save it someplace where you can find it. Or, if you prefer, you can skip the "Notepad" part, and save it directly from this page into an ASCII file. Here's how:

Assuming you're using MSIE, go to the main menu (top of the screen) and select "File/Save As". Save it with a name somewhere you can find it. Remember to save it as "HTML Only". DO NOT save it as "Web Page, Complete," as it will add a bunch of junk to the file, and it WILL NOT show a valid signature.

Either way, you should wind up with an ASCII file that contains the entire HTML code of this page.

- - - From Windows 9X, you should be able to start "PGP Tools" and use the "Decrypt & Verify" function on the file, and it should verify with a "Good" signature.

For those of you who are PGP ver 2.6.X junkies, you should now be able to go to DOS and verify the signature on the saved ASCII file just like you would on any other. (Told you I wasn't going to get into command lines and flags....)

An Experiment: After you've verified the signature (whichever of the methods above you want to use to do it), re-open the "Notepad" (text editor) version. Make the smallest change you can think of somewhere in the HTML code, and check the signature again. You should get a "BAD SIGNATURE!" notice.

Have fun! Go To Part I (What Does "Signing" Something Mean?)
Go To Part II (How Do I Check A Web-Page Signature?)
Go To Part III (How Do I Sign A Web-Page?)
Oh, just thought I'd mention....All the gibberish following this line is the PGP signature, which is the hash number of this page encrypted with my "secret" key. Just in case you wanted to know....