---

A quick adventure in dusting off an old PGP key, hashing a file, and giving a recipient an easy-to-follow proof path.

[written with the help of machine intelligence]

---

1 ? The problem that kicked it off

Last week my church sent me a rental agreement as a fill-in PDF. I filled it out, but before firing it back I wondered:

Could I send something more trustworthy than “here’s the file, trust me” without forcing the church admin (Diana) to install GPG or sign up for Keybase?

I haven’t seriously touched my PGP setup in years, but the idea of a lightweight, verifiable “signature” still appealed to the geek in me.

---

2 ? Taking inventory (a blast from 2013)

gpg --list-secret-keys

sec   rsa2048 2013-12-10 [SC]
      78E8E8E8B007206C2A5D9C83AA61D643ECB4CD2D
uid           Raymond Yee <raymond.yee@gmail.com>

Aha—my 2013 RSA-2048 key is still around. Keybase confirms it:

keybase pgp list
# PGP Fingerprint: 78e8e8e8b007206c2a5d9c83aa61d643ecb4cd2d

So Keybase and GPG agree: I still control the same key.

---

3 ? The lightweight signature plan

1. Hash the PDF
   (Because signing a small hash is friendlier than tacking a binary blob onto an email.)

   shasum -a 256 "20250830 YeeRental.Signed.pdf" \
    > pdf_hash.txt
   # ? 47a97a11…f1e4f7c  20250830 YeeRental.Signed.pdf

2. Sign the hash with my PGP key
   Using Keybase’s wrapper so I don’t have to juggle fingerprints:

   keybase pgp sign -i pdf_hash.txt -o pdf_hash.txt.asc

   Heads-up: Keybase warned me:
   Our PGP key … uses an insecure hash scheme (SHA1)
   More on that in the “Next steps” below.

3. Bundle three tiny files

   ? 20250830 YeeRental.Signed.pdf       ? the contract
   ? pdf_hash.txt.asc                   ? clear-signed hash
   ? README-verification.txt            ? human instructions

4. Give Diana the path of least resistance
   The README points her to a zero-install SHA-256 site
   (e.g., https://emn178.github.io/online-tools/sha256_checksum.html):

   1. Drag the PDF ? see the 64-char hash.
   2. Compare it with the one in my signed message.
   3. If curious, paste the signed block into https://keybase.io/verify.
      She’ll see “Good signature from rdhyee”.

That’s it: no local GPG, no Keybase account, just two web pages.

---

4 ? Did I actually send the signed bundle?

Of course not. In the heat of the moment I reverted to “just attach the PDF.”
But the exercise was worth it—I now have a repeatable, recipient-friendly workflow ready for next time.

---

5 ? What the SHA-1 warning means & my next moves

• Why the warning?
  My primary UID self-signature dates back to 2013 and was made with SHA-1. Modern GnuPG flags that as “legacy.”
  (The signatures I just created use SHA-256, so the content I sign is fine. The warning just nudges me to modernize the key itself.)

• Upgrade game-plan

  1. Generate a fresh key — ed25519 + separate encryption subkey.
  2. Sign the new key with the old one to keep a verifiable chain of custody.
  3. Upload the new key to Keybase (keybase pgp select).
     (Keybase only holds one active PGP key, so the old one will move to the “revoked” tab—or I can leave it un-revoked for legacy checks.)
  4. Set a short expiration (one-year) and renew annually.
  5. Back it up & maybe move private material to a YubiKey.

Until then, my 2048-bit RSA key is still “good enough,” but modern curves?shorter lifetimes are a cleaner future.

---

6 ? Take-aways

• A PGP signature doesn’t have to be intimidating—hash-then-sign keeps the process email-sized and recipient-friendly.
• Keybase’s “paste to verify” page bridges techies and non-techies nicely.
• Even a dusty 2013 key can still serve, but updating keeps the warnings away and future-proofs my identity.

Next time the church sends a form, I’ll be ready—with a shiny new ed25519 key and an even smoother README.

---