A quick adventure in dusting off an old PGP key, hashing a file, and giving a recipient an easy-to-follow proof path.<\/em><\/p>\n [written with the help of machine intelligence]<\/p>\n Last week my church sent me a rental agreement as a fill-in PDF. I filled it out, but before firing it back I wondered:<\/p>\n Could I send something more trustworthy than \u201chere\u2019s the file, trust me\u201d without forcing the church admin (Diana) to install GPG or sign up for Keybase?<\/em><\/p>\n<\/blockquote>\n I haven\u2019t seriously touched my PGP setup in years, but the idea of a lightweight, verifiable \u201csignature\u201d still appealed to the geek in me.<\/p>\n Aha\u2014my 2013 RSA-2048 key is still around. Keybase confirms it:<\/p>\n So Keybase and GPG agree: I still control the same key.<\/p>\n Hash the PDF<\/strong> Sign the hash with my PGP key<\/strong> Heads-up<\/strong>: Keybase warned me: Bundle three tiny files<\/strong><\/p>\n Give Diana the path of least resistance<\/strong> That\u2019s it: no local GPG, no Keybase account, just two web pages.<\/p>\n Of course not. In the heat of the moment I reverted to \u201cjust attach the PDF.\u201d Why the warning?<\/strong> Upgrade game-plan<\/strong><\/p>\n Until then, my 2048-bit RSA key is still \u201cgood enough,\u201d but modern curves?shorter lifetimes are a cleaner future.<\/p>\n Next time the church sends a form, I\u2019ll be ready\u2014with a shiny new ed25519 key and an even smoother README.<\/p>\n A quick adventure in dusting off an old PGP key, hashing a file, and giving a recipient an easy-to-follow proof path. [written with the help of machine intelligence] 1 ? The problem that kicked it off Last week my church … Continue reading
\n1 ? The problem that kicked it off<\/h3>\n
\n
\n2 ? Taking inventory (a blast from 2013)<\/h3>\n
gpg --list-secret-keys<\/code><\/pre>\nsec rsa2048 2013-12-10 [SC]\n 78E8E8E8B007206C2A5D9C83AA61D643ECB4CD2D\nuid Raymond Yee <raymond.yee@gmail.com><\/code><\/pre>\nkeybase pgp list\n# PGP Fingerprint: 78e8e8e8b007206c2a5d9c83aa61d643ecb4cd2d<\/code><\/pre>\n
\n3 ? The lightweight signature plan<\/h3>\n
\n
\n(Because signing a small hash is friendlier than tacking a binary blob onto an email.)<\/p>\nshasum -a 256 \"20250830 YeeRental.Signed.pdf\" \\\n > pdf_hash.txt\n# ? 47a97a11\u2026f1e4f7c 20250830 YeeRental.Signed.pdf<\/code><\/pre>\n<\/li>\n
\nUsing Keybase\u2019s wrapper so I don\u2019t have to juggle fingerprints:<\/p>\nkeybase pgp sign -i pdf_hash.txt -o pdf_hash.txt.asc<\/code><\/pre>\n\n
\nOur PGP key \u2026 uses an insecure hash scheme (SHA1)<\/code>
\nMore on that in the \u201cNext steps\u201d below.<\/p>\n<\/blockquote>\n<\/li>\n? 20250830 YeeRental.Signed.pdf ? the contract\n? pdf_hash.txt.asc ? clear-signed hash\n? README-verification.txt ? human instructions<\/code><\/pre>\n<\/li>\n
\nThe README points her to a zero-install SHA-256 site
\n(e.g., https:\/\/emn178.github.io\/online-tools\/sha256_checksum.html<\/a>):<\/p>\n\n
\nShe\u2019ll see \u201cGood signature from rdhyee\u201d.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n
\n4 ? Did I actually send the signed bundle?<\/h3>\n
\nBut the exercise was worth it\u2014I now have a repeatable, recipient-friendly workflow ready for next time.<\/p>\n
\n5 ? What the SHA-1 warning means & my next moves<\/h3>\n
\n
\nMy primary UID self-signature<\/em> dates back to 2013 and was made with SHA-1. Modern GnuPG flags that as \u201clegacy.\u201d
\n(The signatures I just created use SHA-256, so the content I sign is fine. The warning just nudges me to modernize the key itself.)<\/p>\n<\/li>\n\n
keybase pgp select<\/code>).
\n(Keybase only holds one active PGP key, so the old one will move to the \u201crevoked\u201d tab\u2014or I can leave it un-revoked for legacy checks.)<\/li>\n
\n6 ? Take-aways<\/h3>\n
\n
\n","protected":false},"excerpt":{"rendered":"