OPSV has been integrated in Keyoxide and is no longer updated https://codeberg.org/yarmo/keyoxide
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

4.2 KiB

Open PGP Signature Verification (OPSV)

OPSV is a FOSS solution for easy PGP signature verification.

About

This project uses openpgp.js loaded in the browser, meaning all processing is done on the device itself and no data is ever sent to the server. It supports loading public keys directly through:

  1. plaintext input
  2. web key directory (WKD)
  3. HTTP Keyserver Protocol (HKP).

OPSV will always use the first input method it detects in the order described above.

Usage

Visit https://opsv.foss.guru/. On this website, you can enter a signed message (see example below) and any of the three supported public key inputs to verify that the owner of that public key was indeed the person to have signed that message.

Example

Let’s say I, Yarmo, would really like the world to know that I like pineapple. Using my private key, I’ve signed that statement so you can verify I wrote that message.

The signed statement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I like pineapple.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEog/Pt4tEmnyVrrtlNzZ/SvQIetEFAl7p1IEACgkQNzZ/SvQI
etEXkRAAhh0viUkjH0chcwSpOEUnXkpMROy64+zT9VjUuxIWNWHChBXg4JqseEX4
XbvF+916xFPqBVX0p5NCJnJiZc+npEr/Y0U5NND3GW2AoSnqaF5YUxJmjyLKvHCc
sI4cdwEVM5TB6GisBUOZGcIddcXnlbmAIlQ7KhorDBDsD8F3mjAkwigWQa82uzp0
C/KKkllzOLufDS82R33Z6EUTr3xKNEYjcOgz1vuFDN2Mstrm/Remz0wIcGgopYE+
Q1QixnKZOdpslEsvJT9ot1Pm9ISByR8TONN2iPRGblxBCa3ra1iZHOq+vf1KRd/F
mYJu0yEJODtPXdd2B8MNCNrLk5j8ne1aWfQC1vnPRBzmv4eKv5Hdb39LGUttO7jj
lFNEqPTlNqI9zWL6zuFPt5vnaJfe1JwYI4tBpW9Si+vpuIIjgM7C8x7xRw1EipED
2k0//7bt7WjIKdv5fLd7kHpyf+h2mwAcIXqoMX+5q9mAxmXEBV9NXCwwjssbZ9Ub
WV1D2jtN+zSU+PY2/exQ07fcHTYZxnBwwyDhAEvc4JZ2f3ezNuliOi5P+cyT+S/m
/zrFCrcz+G7TN3jzh3mmA4q6dNDIVJ6R04VQzy+Up3n2JlzlAb6aKyJBrDLAKuvC
whF+3jc244bVxfhiQKDL+7mwBZdo0oJ8VC8zFNas5DW8UWpMipQ=
=G0ZY
-----END PGP SIGNATURE-----

Use this as “Message” on OPSV.

Using plaintext public key

Now, let’s check the signature. Go to my personal website and copy-paste the “plaintext” key in the “Public Key (1: plaintext)” field.

You will see a green message confirming that my key was used to sign this message. I really do like pineapple.

Using web key directory (WKD)

Remove the contents from the “Public Key (1: plaintext)” field. Now, in the “Public Key (2: web key directory)", write yarmo@yarmo.eu and verify the signature again. It is still verified. Try using jane@doe.org or any other input, it won’t verify.

Using HTTP Keyserver Protocol (HKP)

Remove the contents from the “Public Key (2: web key directory)” field. I uploaded my keys to the https://keys.openpgp.org/ HKP server, which is the default server used by OPSV. All you need to do is once again go to my personal website and copy-paste the “Fingerprint” in the “Public Key (3: HKP)” field (the second field!). Still verified!

What can a bad actor do?

One could not sign a statement with my private key: I, and only I, have access to it.

One could however simply take any of my signed messages and change the content. Like so:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I like privacy invasion.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEog/Pt4tEmnyVrrtlNzZ/SvQIetEFAl7p1x0ACgkQNzZ/SvQI
etEgwg//e8gkrOVESf9hI5gt0F6PKtPljMPqA9nI/HWjiUbSb/QmFP/ExIYHsnrC
M3aQnVSCQFPBrrGYljNk9m6LCRMZ+WB5rHC+n4IXcgzNqAZ0c4pHNFD5QlOXi3+u
0wimUr6zBY+LDNFlmh/REPLywK/tm/AG0+9PaPy8rLIU7sc+glTb+U6gIXji8rd6
T36xk1Pd3VddRmXg4Rjtjo79q9ofqKiaQfKbQ2lcD0EnEtTcOhfW2zoofJ2gPOs2
oiTY3zsxLQjZ7gPwD/mTHuCu4xiMnZnGOMwmL1pVMeYdUiY0uR7RiAModUBTZ/v1
6lS9glJHAuDcwchcZNjJOAdyOy+YzFRwZ/QXyjV9EqVLS29S8HTMqlag0hMF4DRs
irb3BfAypDXPbkroPrFgAXclE5fuOR3ZT7tvSpSEqPh3LEtsgghEGxB93W2R62bw
0pMrMau4SD0D9aiIplAKGn50gM41x1jVXLCj86/sqHlt2H9erTNKQiBIQsfsovpv
jkzVPfs/HkbR7pkM+Ow8KgixOoT4vDkQw9SsED8gKKdvhGtkDJ6WgEnQWFrA0y+h
kTR47U59256K2ASfElrgjT1z/OwD5dkkfGq50pl/wxg1AoRuM4lEuB1GG4L6RtIz
hRYaIde4Vjx0djPTP6OCLbCbTt1WxekdS2e4cDzcUQlnFKFLn1k=
=EiD6
-----END PGP SIGNATURE-----

Given the wording of the statement, you naturally doubt the origin of it being me. You run it through OPSV and indeed, this is not what I wrote!

You know me, “I despise privacy invasion.” (hint hint).