[WriteLog] Re: PGP for dummies

Wayne, W5XD w5xd at writelog.com
Mon Jun 9 21:41:28 EDT 2008


>After investing the time, I'd still appreciate hearing from anyone 
>who HAS recently used PGP to validate the WL files.  I know, I'm just 
>another AR nerd engineer, so you don't need to remind me of that!

I have also invested the time, and the short answer is "works for me".
(Ron was mistaken about me "not using PGP")

After reading your post, I went back and looked at the PGP I am using.
It is (or was) version 6.0 which is no longer available from anywhere.
So I also downloaded the 30 day trial from pgp.com and installed it
(on a dedicated testing machine the first time).

Since your post indicates that PGP appears to work after you downloaded
and installed it, I think your problem likely is that the download 
process for the key and/or signature didn't work correctly. (I had
trouble making their free download install, but I think it might
have had to do with the fact that I had the old freeware version
installed, but I eventually succeeded).

To verify the WL PGP signatures using the version 9 trial-ware,
I suggest you do what I did:

1. Get the WriteLog Sales key on your machine by going to 
http://www.writelog.com/pgp_signatures.htm
Find the WriteLogSales.asc link, RIGHT-CLICK on it, and 
choose Save Target As... to make a copy of the file locally.
(Actually, I didn't get my copy of the key from the server--
I already had the original--but that is only place you can get it.)

2. Use the same "Save Target As..." trick on the .sig file
from http://www.writelog.com/downloads.htm. For this file,
it is important to save the target into the same directory
as the .exe file you want to verify.

3. Start the PGP Desktop from its Start menu entry, and
in the PDP Desktop window that comes up, use "File Open"
to open the WritelogSales.asc link you did in (1). 
This should make the key appear in the "All Keys" tab.

4. Right click in the All Keys tab on the newly imported
key and choose "Sign". Pay attention to the dialog that 
comes up. Here is where your security really comes from.
Do you really know that key is what you think it is?
The pgp_signatures web page above describes the risks
you are taking at this step.

The above are one-time setup steps. Now your Windows File
Manager should have a right click option on the .sig file
you downloaded in (2) that says verify. For some reason,
that right click doesn't always work for me. But I have found
that if I use Windows File Manager to drag the .sig file
onto the "PGP Desktop" window and drop it on the "Verification
History" tab (along the left column), it does the verify I
am looking for, putting a new entry in the history pane
telling me that the signature and the downloaded .exe file
match.

>From my reading of the PGP trial-ware docs, I believe the
above will continue to work for you after the 30 day
expiration. I think it's the email integration that stops
after 30 days.

I suspect that many WL users might think all this is overkill.
For those that run WriteLog on a dedicated machine for contesting 
and nothing else, I concede the point. But if you install
WL on a machine that has personal data on it, consider the possibility
that the web server that hosts writelog.com could be compromised
by someone with enough smarts to replace the downloads with
something that looks enough like the real WL to fool you until
it find and copies all your personal data to "bad guys"

GL,
Wayne, W5XD



More information about the WriteLog mailing list