This page will explain what PGP is and how to use it. This is a very basic guide for the command line of gpg. If you want to learn more about PGP I recommend this guide.
PGP stands for Pretty Good Privacy. It is a way to encrypt and sign messages. It can be used to verify that my software is authentic and to send me encrypted messages. GPG is an implementation of PGP. It is a free and open source program that can be used to encrypt and sign messages, generate keys and more.
If you are on windows you can download gpg.exe here: https://gnupg.org/.
If you are on linux then your OS should come with gpg pre-installed in the command line. Otherwise, you can install it on ubuntu distros using:
sudo apt install gpg
First you must generate a key. This can be done by running:
gpg --full-generate-key
Then you will be asked what kind of key you want to generate. I recommend using RSA and RSA. Then you will be asked what size you want your key to be. I recommend 4096. Then you will be asked how long you want your key to be valid for. I recommend 0 which means it will never expire. Then you will be asked for your name, email and a comment. You can leave the comment and/or email blank. Then you will be asked to confirm your information. Then you will be asked for a passphrase. After this your key should be generated.
Next you must export your public key. This can be done by running:
gpg --armor --export [key id] > myPublicKey.txt
Replace [key id] with the id of your key. This can be found by running:
gpg --list-keys
You can then send this key to anyone you want as it is your public key. It can be used to verify and sign messages by you.
To export your private key you must run:
gpg --armor --export-secret-keys [key id] > mySecretKey.txt
Keep this as a backup of your secret key in case you lose it. You can also use this to import your key on another device. Do not share this key with anyone else. This key is encypted so there is some security if someone stole it. The encryption is done with your passphrase.
First you must download my keys and import them into gpg. This can be done by going to https://sophuwu.site/pgp.txt and saving the page by right clicking and pressing "save as". Save the file as something memorable such as "sophuwu.site.txt". Then you can import it by running:
gpg --import sophuwu.site.txt
The Sophie <fake@email.com&> is my personal key to send me messages. As I use it on Discord and other places online, I decided to not include my real email. The sophuwu <admin@sophuwu.site> key is the website's key. It is only used to verify my software.
Next you must sign the key to verify to the system that you trust it. You can do this by running:
gpg --sign-key 51D01155267251E0271C06B4B6FF8843685DBC56
gpg --sign-key F1D9B567A3879FBDD5AB658F619DFC4C50E79C04
I reccomdend using the key fingerprint rather than the email. This is so that it is harder for someone to send you a fake key with the same email.
You will not need to repeat this process; you only need to download, import and, verify the keys once. Do not delete keys that you trust. Keep the same keys for as long as possible to avoid downloading fake keys.
Firstly, download the software and the signiture files. The signature file is a file with the same name as the software but with .sig.txt at the end. Zip files will be verified before extracting. The signiture files are detatched signatures, these are verified differently to normal messages. To verify a detatched file you must run:
gpg --verify [file].sig.txt [file]
If the signature is valid then you will see "Good signature" in the output. If you skipped signing the key, the program will say "There is no indication that this key is owned by who you think it is." This is usually okay as long as it says "Good signature".
$ gpg --verify file.zip.sig.txt file.zip
gpg: Signature made Fri 30 Jun 2023 20:32:14 CEST
gpg: using DSA key 51D01155267251E0271C06B4B6FF8843685DBC56
gpg: issuer "admin@sophuwu.site"
gpg: Good signature from "sophuwu <admin@sophuwu.site>" [ultimate]
To send my and encrypted message you may first make a txt file with your message in it. Then you can encrypt it by running:
gpg --encrypt --recipient F1D9B567A3879FBDD5AB658F619DFC4C50E79C04 --armour [file]
This will output a file with the same name but with .asc at the end. This is your encrypted message. When you send this to me, don't forget to include a copy of your public ke, so I can respond with an encrypted message to you. Nobody else will be able to decrypt it; not even you.