As we all know, the internet is a complicated place. No texts that transmitted to you from the other end of the Internet can be guaranteed where they actually come from. And as an ordinary person, Zcp of course could not prove that all the texts are indeed from his free will either. Viruses, hackers, pressure from outside forces...are also likely to post information on his behalf.
To solve this problem, I announce here,
From now on(2020.03.04),I'll sign all the texts in order to:
- Defend my rights to speak on the Internet;
- Protect myself from being imitated by other people;
- Provide a verification to the world that whether the messages are written by myself, whether the texts are consistent with my free will.
I'll sign every file using my PGP private key, and share the only trustable PGP public key of mine here.(This README file will also be singed by me)
- The Fingerprint is :
77F37C33368AD0B5D52810D1BF5738A17E62F3FC - Public Key Zcp's PGP keys
Notice that I haven't and will not upload my PGP keys to any key servers, so if you found my PGP keys on any other key servers, just don't trust it
# Example: sign README.md
# Output signature file: sig.gpg
# --detach-sign: This option is the most useful for simply ensuring the integrity (but not privacy) of a large file
gpg --detach-sign -o sig.gpg README.md# Order matters, put signature file first!
gpg --verify sig.gpg README.mdIf you haven't import my PGP public key, then the output will be(Chinese Version):
gpg: 签名建立于 2020年03月04日 星期x xx时xx分xx秒 JST
gpg: 使用 RSA 密钥 xxxx
gpg: 无法检查签名:No public key
Download the *.pub file directly.
Then run:
gpg --import Zcp_PGP.pubAnd now you can verify this README.md file correctly.
If this file is from me and haven't be edited, imitated by others, the output of verification should be:
gpg: 完好的签名,来自于 xxxx
gpg: 警告:此密钥未被受信任签名认证!
gpg: 没有证据表明此签名属于其声称的所有者。
主密钥指纹: xxxx
子密钥指纹: xxxx
The warning is because this public isn't trusted by default, you can trust it by:
gpg --edit-key [ID]
#gpg>
trustOr, an example of verification failure :
gpg: 使用 RSA 密钥 xxxx
gpg: 已损坏的签名,来自于 xxxx
- I will use the strictest methods to ensure I'm the only holder of my private keys.
- For statements that meet one of the following conditions, I will only publish them by digital signature:
- Make any statement about personal freedom, physical condition or mental condition;
- Declaration of withdrawal of certain statements made by myself;
- Other things that can be related to personal dignity or reputation.
If statements that belong to the above but are not digitally signed, or that such signatures cannot be verified, they are all invalid.
I use keybase to claim the ownership of my Github account、website、social medias...
This is My keybase page
I signed these files, anyone is able to check it using my public key: