OPSV is a FOSS solution for easy PGP signature verification.
This project uses openpgp.js loaded in the browser, meaning all processing is done on the device itself and no data is ever sent to the server. It supports loading public keys directly through:
OPSV will always use the first input method it detects in the order described above.
Visit https://opsv.foss.guru/. On this website, you can enter a signed message (see example below) and any of the three supported public key inputs to verify that the owner of that public key was indeed the person to have signed that message.
Let’s say I, Yarmo, would really like the world to know that I like pineapple. Using my private key, I’ve signed that statement so you can verify I wrote that message.
The signed statement:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I like pineapple. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEog/Pt4tEmnyVrrtlNzZ/SvQIetEFAl7p1IEACgkQNzZ/SvQI etEXkRAAhh0viUkjH0chcwSpOEUnXkpMROy64+zT9VjUuxIWNWHChBXg4JqseEX4 XbvF+916xFPqBVX0p5NCJnJiZc+npEr/Y0U5NND3GW2AoSnqaF5YUxJmjyLKvHCc sI4cdwEVM5TB6GisBUOZGcIddcXnlbmAIlQ7KhorDBDsD8F3mjAkwigWQa82uzp0 C/KKkllzOLufDS82R33Z6EUTr3xKNEYjcOgz1vuFDN2Mstrm/Remz0wIcGgopYE+ Q1QixnKZOdpslEsvJT9ot1Pm9ISByR8TONN2iPRGblxBCa3ra1iZHOq+vf1KRd/F mYJu0yEJODtPXdd2B8MNCNrLk5j8ne1aWfQC1vnPRBzmv4eKv5Hdb39LGUttO7jj lFNEqPTlNqI9zWL6zuFPt5vnaJfe1JwYI4tBpW9Si+vpuIIjgM7C8x7xRw1EipED 2k0//7bt7WjIKdv5fLd7kHpyf+h2mwAcIXqoMX+5q9mAxmXEBV9NXCwwjssbZ9Ub WV1D2jtN+zSU+PY2/exQ07fcHTYZxnBwwyDhAEvc4JZ2f3ezNuliOi5P+cyT+S/m /zrFCrcz+G7TN3jzh3mmA4q6dNDIVJ6R04VQzy+Up3n2JlzlAb6aKyJBrDLAKuvC whF+3jc244bVxfhiQKDL+7mwBZdo0oJ8VC8zFNas5DW8UWpMipQ= =G0ZY -----END PGP SIGNATURE-----
Use this as “Message” on OPSV.
Now, let’s check the signature. Go to my personal website and copy-paste the “plaintext” key in the “Public Key (1: plaintext)” field.
You will see a green message confirming that my key was used to sign this message. I really do like pineapple.
Remove the contents from the “Public Key (1: plaintext)” field. Now, in the “Public Key (2: web key directory)", write
firstname.lastname@example.org and verify the signature again. It is still verified. Try using
email@example.com or any other input, it won’t verify.
Remove the contents from the “Public Key (2: web key directory)” field. I uploaded my keys to the https://keys.openpgp.org/ HKP server, which is the default server used by OPSV. All you need to do is once again go to my personal website and copy-paste the “Fingerprint” in the “Public Key (3: HKP)” field (the second field!). Still verified!
One could not sign a statement with my private key: I, and only I, have access to it.
One could however simply take any of my signed messages and change the content. Like so:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I like privacy invasion. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEog/Pt4tEmnyVrrtlNzZ/SvQIetEFAl7p1x0ACgkQNzZ/SvQI etEgwg//e8gkrOVESf9hI5gt0F6PKtPljMPqA9nI/HWjiUbSb/QmFP/ExIYHsnrC M3aQnVSCQFPBrrGYljNk9m6LCRMZ+WB5rHC+n4IXcgzNqAZ0c4pHNFD5QlOXi3+u 0wimUr6zBY+LDNFlmh/REPLywK/tm/AG0+9PaPy8rLIU7sc+glTb+U6gIXji8rd6 T36xk1Pd3VddRmXg4Rjtjo79q9ofqKiaQfKbQ2lcD0EnEtTcOhfW2zoofJ2gPOs2 oiTY3zsxLQjZ7gPwD/mTHuCu4xiMnZnGOMwmL1pVMeYdUiY0uR7RiAModUBTZ/v1 6lS9glJHAuDcwchcZNjJOAdyOy+YzFRwZ/QXyjV9EqVLS29S8HTMqlag0hMF4DRs irb3BfAypDXPbkroPrFgAXclE5fuOR3ZT7tvSpSEqPh3LEtsgghEGxB93W2R62bw 0pMrMau4SD0D9aiIplAKGn50gM41x1jVXLCj86/sqHlt2H9erTNKQiBIQsfsovpv jkzVPfs/HkbR7pkM+Ow8KgixOoT4vDkQw9SsED8gKKdvhGtkDJ6WgEnQWFrA0y+h kTR47U59256K2ASfElrgjT1z/OwD5dkkfGq50pl/wxg1AoRuM4lEuB1GG4L6RtIz hRYaIde4Vjx0djPTP6OCLbCbTt1WxekdS2e4cDzcUQlnFKFLn1k= =EiD6 -----END PGP SIGNATURE-----
Given the wording of the statement, you naturally doubt the origin of it being me. You run it through OPSV and indeed, this is not what I wrote!
You know me, “I despise privacy invasion.” (hint hint).