Now that I’ve got my new PGP key set up, I thought I’d have a bit of fun with it and use it to sign my blog posts.
I host my public key under https://blog.probablyfine.co.uk/gpg.asc but also on keybase.io
By verifying the content of the HTML against the detached signature, anyone can confirm that I am indeed the author of a post.
$ curl https://keybase.io/probablyfine/pgp_keys.asc | gpg --import
$ wget https://blog.probablyfine.co.uk/about.html
$ wget https://blog.probablyfine.co.uk/about.asc.txt
$ gpg --verify about.asc.txt about.html
...
gpg: Good signature from "Alex Wilson <gpg@probablyfine.co.uk>" [unknown]
...
Generating the signatures
My blog is a static site powered by Jekyll, hosted on AWS. I wrote a small script to generate the signatures which is executed as part of the deploy to S3.
for POST in $(find _site -name '*.html') ; do
echo Generating signature for ${POST}
SIGNATURE=$(echo ${POST} | sed -e 's/\.html$/.asc.txt/')
gpg --armor \
--detach-sig \
--output ${SIGNATURE} \
--sign ${POST}
done
Each post now provides the link to its signature in the footer. Take a look for yourself!
November is National Blog Posting Month, or NaBloPoMo. I’ll be endeavouring to write one blog post per day in the month of November 2019 - some short and sweet, others long and boring.