-----BEGIN PGP SIGNED WEB-PAGE-----

The PGP "How'd You Do That?" Page

Part III: How Do I Sign A Web Page?


Piece of cake. Well, OK, it's not. It's a pain in the left cheek, if you know what I mean, but not that big a deal.

I'll give you the mechanics of how it's done in six simple(?) steps - - -- and try to explain the "whys" after we've finished, although if you're into PGP and HTML at all, you should be able to see why it's done this way.
STEP 1:
Write your HTML. Check it, and double check it. Run it on your browser to make sure it's EXACTLY what you want. Remember that after you PGP sign it, you can't change anything without invalidating the signature. For this, we're going to use the simplest HTML example I can think of:

<html>
<head>
<title>
This Is The Title
</title>
</head>:
<body>
This is the junk that's going on the web page.
</body>
</html>

STEP 2:
Insert this on the first line of your HTML page: -->
NOTE that this is "SPACE, DASH, DASH, GREATER-THAN SIGN" - the beginning space is mandatory, since PGP does bad things to lines that begin with a "DASH".

We'll discuss why later. Just do it and trust me. Your code should now look like this:

 -->
<html>
<head>
<title>
This Is The Title
</title>
</head>:
<body>
This is the junk that's going on the web page.
</body>
</html>

STEP 3:
Insert <pre> just before the </body> tag. Again, just trust me here. Your code should now look like this:

 -->
<html>
<head>
<title>
This Is The Title
</title>
</head>:
<body>
This is the junk that's going on the web page.
<pre>
</body>
</html>

STEP 4:
Insert <KBD>-----BEGIN PGP SIGNED WEB-PAGE-----</KBD> just before the <body> tag. It's purely cosmetic, but lets people know what you're certifying. Your code should now look like this:

 -->
<html>
<head>
<title>
This Is The Title
</title>
</head>:
<KBD>-----BEGIN PGP SIGNED WEB-PAGE-----</KBD>
<body>
This is the junk that's going on the web page.
<pre>
</body>
</html>

STEP 5:
Select and Cut (to clipboard) EVERYTHING between and including  --> (the first line) and <pre>. Paste it into a handy ASCII editor -- "Notepad" for example. DO NOT include the </body> or </html> tags. PGP sign the "Notepad" page, Select All, Copy and paste it back into your HTML editor. Your code should now look like this:

-----BEGIN PGP SIGNED MESSAGE-----

 -->
<html>
<head>
<title>
This Is The Title
</title>
</head>:
<KBD>-----BEGIN PGP SIGNED WEB-PAGE-----</KBD>
<body>
This is the junk that's going on the web page.
<pre>

- - -----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use

iQCVAwUBOVWMbKY+qT1p0/NdAQHmFwP/e4KYO0LwbALiboVlx7IIywl3tRGowZF0
utVWJLZ2Y/I+/cUElXyvDv3p8uTr+enpLljCXM+VOXAt87r+xir6XhYXG4Y6HzkR
okShhbZUTMn/b1TfyLFBwZJdL41Vk2VHZ9pNvmXwa2VYm/bk4NBZiKZELtcrSFaS
G7ulSbhPUTY=
=e5Y0
- - -----END PGP SIGNATURE-----
</body>
</html>

STEP 6:
OK, now we're in the home stretch. Insert <!-- above the first line and </pre> immediately above the </body> tag, and you're done. Your code should now look like this:

<!--
- - -----BEGIN PGP SIGNED MESSAGE-----

 -->
<html>
<head>
<title>
This Is The Title
</title>
</head>:
<KBD>-----BEGIN PGP SIGNED WEB-PAGE-----</KBD>
<body>
This is the junk that's going on the web page.
<pre>

- - -----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use

iQCVAwUBOVWMbKY+qT1p0/NdAQHmFwP/e4KYO0LwbALiboVlx7IIywl3tRGowZF0
utVWJLZ2Y/I+/cUElXyvDv3p8uTr+enpLljCXM+VOXAt87r+xir6XhYXG4Y6HzkR
okShhbZUTMn/b1TfyLFBwZJdL41Vk2VHZ9pNvmXwa2VYm/bk4NBZiKZELtcrSFaS
G7ulSbhPUTY=
=e5Y0
- - -----END PGP SIGNATURE-----
</pre>
</body>
</html>

OK, WHY DID WE DO ALL THAT?
Well, let's see what we've done. Everything between <!-- and  --> is seen as a "comment" by the HTML interpreter (browser). It is completely ignored, which means we don't have to put in any tags to format whatever's in there. This is good, since PGP wouldn't know what to do with tags. All it's interested in is the line that says:

-----BEGIN PGP SIGNED MESSAGE-----

which must be on a line by itself with a blank line following for PGP to "see" it. That's what this accomplishes:
<!--
- - -----BEGIN PGP SIGNED MESSAGE-----

 -->
Everything between
"-----BEGIN PGP SIGNED MESSAGE-----"
and
"-----END PGP SIGNATURE-----"
must be included when the message is signed. Anything changing between these two lines will result in an invalid signature! That's why we had to start out with putting  --> in first (STEP 2, above) BEFORE we PGP signed it.

Same for the <pre> tag. It is necessary, because we want the PGP signature to remain in its original format (PGP is pretty particular about that), but since it's going to wind up ABOVE the "-----END PGP SIGNATURE-----" line, it has to be in there before we PGP sign the thing (STEP 3, above).

The opposite is true for the <!-- and </pre>. They are going to be OUTSIDE of the PGP boundaries
("-----BEGIN PGP SIGNED MESSAGE-----" and "-----END PGP SIGNATURE-----") so they are put in AFTER it's signed (Step 6, above).

As for the <KBD>-----BEGIN PGP SIGNED WEB-PAGE-----</KBD> entry you put in before the <body> tag - - -- as I said, just cosmetic. PGP people know that PGP stuff has to have a "Begin" line or it won't work, so we make it the first line that prints on a page and they get all warm and fuzzy.

Hope that helps. The only question remaining is why on earth anyone would PGP sign a web page. Beats me. Pretty cool stuff, though, and there's probably a good reason for it somewhere. (Shrug) As many people as have asked me how to do it, I can only assume someone's got a use for it....

(CLOSE THIS WINDOW TO RETURN TO MY MAIN WEBSITE)

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use 

iQCVAwUBObKG4KY+qT1p0/NdAQFg7wQAsc9Jdd8D3K0E4+vqGNH2stL2AC+/bh3n
K233GdyLzVeSAQb++iZG+9A7K8/y4/Yfn4WLgKDdoqHp6CDbIKb4jQT5eGtabE3b
WJgtCboiIoP4n1aDZ8wmie+g9c0lg6i9ynm+cJt/GnVdR+6mpPkUvFG1kFo7jqUW
dOyvB6X7V8U=
=5f55
-----END PGP SIGNATURE-----


©2000, 2001 All Rights Reserved