Blog post signing using GPG

Update 2015-10-27: Although I still like the idea of blog signatures, I figured that HTML and dynamic webpages (enriched with a WYSIWYG editor) doesn't play well. Therefore I decided to remove the signatures again.

In these days, I am thinking a lot about encryption and integrity of communication channels. Every mail I send, is automatically signed via my GPG key. I am doing this, not only to remind people of the fact, that GPG/PGP exists and that they should use it. I am primarily doing it for its main purpose, to give the recipients the possibility to verify the integrity of the mail and that it was really sent by myself. Today I thought... well, as I give the recipients of my mails this option, why shouldn't I give this option also to the readers of my blog?

So I started testing a bit. I wasn't sure what might be the best way to do this. My first idea was to take the HTML source of the blog post and create a signature of it, as this would also include links to external websites and images in the signature. But it would be really hard to verify the signature, as WordPress adds a lot of HTML crap to the source. So I eventually decided to just take the plain text, create a signature, add it to the blog post and change the color of the GPG output to a light grey, so that it wouldn't fall into the formatting too much.

Problem is, that WordPress is a bitch and it has some stupid features, which e. g. alters minus characters to em-dashes. As the "-----" is an essential part of the GPG signature, this made it impossible for GPG to verify the signature. Lucky there is the "Undo WordPress Default Formatting" plugin by Mattias Geniar which disables this crap.

So from now on, I will digitally sign every blog post with my GPG key. Feel free to verify the signature to make sure, that what you read is really what I published.

, , , , ,

No comments yet.

Leave a Reply