6 minute read

Since we just finished a section on verifying downloads with signatures and public keys, I figured we should do a quick post on verifying messages by using the same two things, signatures and public keys.

Now for those of you who are members of the Silk Road Forums, you will notice that some people, mainly Moderators like to sign their messages with signatures. Let us look at an example of a signed message from Dread Pirate Roberts. The last message he left before going on his leave of absence.


Hash: SHA512

Silk Road has not been compromised even if the allegations are true. Neither had access to sensitive material. I will make an announcement later to address the concerns this has raised.


So why should you care about this? What is the significance of signing a message? The reason is, in case somebody were to compromise DPR’s account, due to having a weak password or possibly an exploit in the forum’s coding, then the person would not be able to sign the messages without access to DPR’s private key. So let us look at how we can verify this message left by DPR. First of all you need to visit Dread Pirate Roberts’ profile page and grab his PGP public key. I am not going to post the key here for space reasons, but just visit his page at the following URL and import that key into your keyring.


Next, highlight the entire PGP signed message from top to bottom and copy it to your clipboard (Right click, Copy). You will see your little Clipboard icon in the top right of Tails turn red. Click on that clipboard and select Decrypt/Verify. You should get the following results. One in the window on top and the other on the bottom.


Silk Road has not been compromised even if the allegations are true. Neither had access to sensitive material. I will make an announcement later to address the concerns this has raised.

gpg: Signature made Fri 20 Dec 2013 01:37:46 PM UTC using RSA key ID 7CFEDFBC
gpg: Good signature from “Dread Pirate Roberts <silkroad6ownowfk.onion>”
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5A48 F5D0 50E9 9052 62B4  799D CCB2 38E4 7CFE DFBC

Again we get the same warning we did when verifying our downloads, saying we have not verified that the PGP public key is authentic. We can see the signature name was made by Dread Pirate Roberts and the comment section has the Silk Road URL, so far so good. Now remember when we verified TOR? We wanted to check out the fingerprints to see if they matched. We do this by going to our key ring (Manage Keys), and selecting DPR’s key, right clicking it and going to properties. Now move to the tab Details and look under where it says Fingerprint: and compare the numbers in there to the numbers we got when we verified the signature. They should be the following.

5A48 F5D0 50E9 9052 62B4
799D CCB2 38E4 7CFE DFBC

We have ourselves a match! So unless DPR’s private key was compromised, we know that he himself was the one who wrote that message. So now you see why some people decide to sign their messages. It is a way of verifying that their account has not been compromised by verifying that the person in control of the account is the same person that is in control of the PGP private key.

Do you want to learn how to sign a message? It is very easy. Open up gedit Text Editor and type in a message. Next, select the message and copy it to your clipboard (Right Click – Copy) and then click on your clipboard icon up top and choose Sign/Encrypt Clipboard with Public Keys. Do not choose a key from your list of PGP public keys unless you want to encrypt the message. If you want to encrypt the message to send to somebody’s inbox or so that only one person can view it, then select their name and it will encrypt it with their PGP public key. In our case, we just want to sign the message without encrypting it, but you can certainly do both at the same time if you wanted to.

If you look down near the bottom you will see where it says Sign message as: click on this and select your personal key. It will ask you for your passphrase because remember you are signing this with your private key. Once you enter it correctly, the PGP signed message will be copied to your clipboard and you can paste it anywhere (Right Click – Paste) that you want to. Here it what mine looked like.

Hash: SHA512

This is my PGP signed message for demonstration purposes.


And if you want to verify it, check out my PGP public key in my profile and verify my PGP signature against my key! It is really that simple. But you might be asking, cannot somebody just change the message and copy the signature? No, changing the message will change the signature because the signature depends on both the message and the PGP private key. So if you change one single character of my signed message you will get the following error.

gpg: Signature made Fri 10 Jan 2014 09:39:34 PM UTC using RSA key ID A0F359F2
gpg: BAD signature from “Jolly Roger (They would live and die under it)”

So when should you sign a message? And when should you not sign a message? Great question. The majority of users should probably not sign messages unless they have to because it gives you plausible deniability. It is easier to deny posting certain things or certain communications you may have had with vendors or other people including law enforcement if you do not sign your messages, because you can always claim somebody else gained access to your account. It is harder to do this if you signed the message with your PGP private key. If you are dealing with somebody who wants to verify your identity and make sure that your current signature matches the public key they had on file for you from 6 months ago, then maybe they might get you to send a signed message. But again, all they really need to do is send you an encrypted message with your PGP public key they had on file, and if you cannot decrypt it, you are not who you say you are.

In real world application, developers can use PGP signed messages in News Announcements or perhaps new releases of their programs providing a download URL so that users can be sure the developer is the one posting the URL and not some malicious attacker who compromised the forum account of the developer and so forth. So for the average Silk Road forum user there really is not a lot of times when you should be signing messages unless you are a moderator or making a public announcement and so forth, but it is an option you now have in your arsenal, and now you can start verifying the signatures of the Administrators and Moderators in case you believe their accounts may have been compromised.

Updated: 2014-02-13