What’s a PGP Signature?
A PGP signature is a file that allows someone to verify that a set of information (like an mp3 file from your favorite podcast) was “signed” by who claims to have signed it.
Cryptographic “signing” is very similar to signing things in the physical world. Someone can look at your signature and verify that you signed it by comparing it to something you’ve signed in the past. Cryptographic signing works by creating a file that is unique to both the signer’s private key and the file they are signing, so if someone tried to impersonate the signer, they would not be able to create a valid signature for whatever they were trying to pass off.
The signer’s public key is used to verify that a file and it’s signature are valid.
How do I verify a PGP Signature?
The Worrying Bugs’ public key is located here.
You can get the GPG suite here. It contains the frameworks necessary to verify a signature. Some of the available programs will have a GUI which should be relatively straightforward, so the rest of this brief tutorial will be about using the command line.
Signatures for the episodes of Worrying Bugs are typically in the show notes under “This episode’s PGP signature:”.
Make sure the Worrying Bugs’ public key has been imported by using the command:
gpg --import [filename of public key]
You can then verify the signature by using the command:
gpg --verify [filename of signature file] [filename of mp3]
This should tell you whether or not the Worrying Bugs signed this mp3.
PGP is pretty cool, how can I learn more?
This does a pretty good job of explaining some concepts relating to public key cryptography. Wikipedia is always reliable as well.