Don't worry, it's ... Probably Fine

Signing my blog posts

08 Nov 2019

nablopomo19 gpg

Now that I’ve got my new PGP key set up, I thought I’d have a bit of fun with it and use it to sign my blog posts.

I host my public key under https://blog.probablyfine.co.uk/gpg.asc but also on keybase.io

By verifying the content of the HTML against the detached signature, anyone can confirm that I am indeed the author of a post.

$ curl https://keybase.io/probablyfine/pgp_keys.asc | gpg --import
$ wget https://blog.probablyfine.co.uk/about.html
$ wget https://blog.probablyfine.co.uk/about.asc.txt
$ gpg --verify about.asc.txt about.html

...
gpg: Good signature from "Alex Wilson <gpg@probablyfine.co.uk>" [unknown]
...

Generating the signatures

My blog is a static site powered by Jekyll, hosted on AWS. I wrote a small script to generate the signatures which is executed as part of the deploy to S3.

for POST in $(find _site -name '*.html') ; do

    echo Generating signature for ${POST}

    SIGNATURE=$(echo ${POST} | sed -e 's/\.html$/.asc.txt/')

    gpg --armor \
        --detach-sig \
        --output ${SIGNATURE} \
        --sign ${POST}

done

Each post now provides the link to its signature in the footer. Take a look for yourself!


November is National Blog Posting Month, or NaBloPoMo. I’ll be endeavouring to write one blog post per day in the month of November 2019 - some short and sweet, others long and boring.