Hi,
I'm fairly new to PKI, so bear with me please.
I have a couple of questions about verifying the signed message.
...
Verifying the release:
1) get public key of author
2) import public key of author
3) get HTML from bitaddress.org
4) sha1 checksum of HTML
5) verify signed message from author
6) confirm sha1 in step 4 & 5 matches
NOTE: If the web page is saved as "web page complete" as opposed to "web page html only" the checksum will not match.
wget http://www.bitaddress.org/ninja_bitaddress.org.txt
gpg --import ninja_bitaddress.org.txt
wget http://www.bitaddress.org/bitaddress.org-v2.9.1-SHA1-67b1facd70890aa9544597e97122c7a1d4fdc821.html
sha1sum bitaddress.org-v2.9.1-SHA1-67b1facd70890aa9544597e97122c7a1d4fdc821.html
wget -qO- http://www.bitaddress.org/pgpsignedmsg.txt | gpg -d
...
It appears to me that 'gpg -d' is an instruction to gpg to decrypt the file argument.
1) Why is it necessary to decrypt the message when I can read it perfectly as it is?
2) Why is there no mention of 'verify' in this step's command (step 5)? I was expecting to use one or other variation of '--verify'. Please clarify.
Thanks for any feedback.