RobertSpigler.com is hosted outside of my control. 3rd party hosting allows for easier maintenance, and ultimately no website can be fully trusted as you can never control all of the infrastructure. Even with TLS, 2FA, etc, a number of attack vectors exist (the host owns you, other people have physical access to the server, BGP hijacking…)
GPG enables you to distrust all of this infrastructure when contacting me. But what can a GPG signature prove?
I believe this is a common misunderstanding. Seeing a GPG signature verify does not mean you are “in the clear”.
When a message’s signature passes verification, that means that the message’s integrity has been cryptographically proven. A failure of integrity would indicate that the file has been tampered with en route. However, who has signed the file? In order to properly verify the authenticity (did the signature actually come from the person who is claiming to own that key), you must check the fingerprint of the key from multiple, independent sources in several different ways. You need the message's integrity and authenticity to be proven.
For example, any attacker can properly sign a malicious message with a valid attacker-owned GPG key. This key could be labeled “Robert Spigler”, and the attacker could post it on a website 'RobertSp1gler.com' (or perhaps even deface this website with it). If you were to merely verify the signature, the signature would verify properly, and the attack would be successful. To mitigate this, you need to properly authenticate the key used to sign the malicious message. You would see that the malicious key had a fingerprint (for example) of XXXX XXXX XXXX 1234, while my key has a fingerprint of BF0D 3C08 A439 5AC6 11C1 5395 B70B 4A77 F850 548F.
The only way to know for sure whether or not the fingerprint you are seeing is truly mine, is to verify from multiple, independent sources in several different ways.
For example, you can check this on Yeti's Slack, on podcasts I have been on where I have read it outloud, my public Twitter and email, as well as other forum posts. You should also check this via Tor to avoid network based attacks. You can also contact other developers I work with, and check with them out of band.
Below is my GPG information:
pub rsa4096/0xB70B4A77F850548F 2020-05-14 [C]
Key fingerprint = BF0D 3C08 A439 5AC6 11C1 5395 B70B 4A77 F850 548F
uid [ unknown] Robert Spigler <RobertSpigler@Proton.Me>
sub rsa4096/0x52C7B02FC790F3F0 2020-05-14 [S] [expires: 2023-05-26]
Key fingerprint = 7F85 8A1C D184 F695 B3B1 BCB4 52C7 B02F C790 F3F0
sub rsa4096/0x4D3A736EE8FED764 2020-05-14 [E] [expires: 2023-05-26]
Key fingerprint = 7EC6 5805 989C A9D9 E847 6BFD 4D3A 736E E8FE D764
Click below to download my Public Key
Copyright © 2022 Robert Spigler - All Rights Reserved.