How to verify the signatures, within GnuPG Certificates, from the command-line.

I found this to be a very specific question, with inadequate documentation elsewhere on the Web, and so I’m writing my own observations on it here. First of all, the reader should know what a certifiicate is, as opposed to just, ‘a public key’. A public key goes together Mathematically with a private key, so that either will decrypt what the other enrcypted, but in such a way that, if the public is made aware of the public key alone, they are unable to derive the private key.

This does not just get used for encryption, but also to sign documents or other electronic assets. In fact, if the RSA algorithm is being used for encryption, it may already be somewhat out-of-date, because many Web sites that have an ‘httpS://’ URL, use TLS by now, instead of SSL, the latter being insecure by today’s knowledge. However, while Diffie-Hellman key exchange is suitable for encryption, creating a shared secret between the server and client, that in turn can be used as a strong, symmetrical key for a connection, the actual verification of Web-sites still uses RSA. But, that’s a bit of an aside comment, because we’re not interested in this posting, in certifying Web-sites with an X.509 certificate. This posting is about ‘GnuPG’, which is an alternative to ‘X.509′.

A certificate is what one obtains, when a public key belonging to one person, together with certain mandatory information, is signed, using the private key of another, so that the public key of the other person can be used to validate that signature. This is important because, if there were only a public and private key, the recipient of a (signed) document would have no way of knowing, whether a public key he’s been given, actually belongs to the correct author. He’d just know, that it’s the public key associated with an arbitrary private key, where the two are supposedly already matched as they should be.

Conversely, if a person wanted to encrypt a document being sent to another, then he’d have no way of knowing, that he’s encrypting it using the correct public key. The person who has the corresponding private key, might not be the intended recipient.

Because of the signature of the public key with another person’s key-pair, that person’s attestation to the fact that it belongs to its rightful owner, can add trust in the public key, for the recipient of a signed document, or the sender of a document to be encrypted, the latter so that only the holder of the correct private key will be able to decrypt it.

So, it can happen to users of GnuPG, that they’ve been using GUIs such as ‘Kleopatra’ or ‘KGPG’, that these GUIs have not displayed any messages, but that they’d like to verify the signatures of their public keys, belonging to other people anyway. And from the command-line, there is a way to do that…

(Updated 5/24/2020, 8h35 … )

Continue reading How to verify the signatures, within GnuPG Certificates, from the command-line.

I’ve just received my 13.3″ Onyx BOOX Max2 e-Reader.

And so far I’m happy with it.

There exists an underlying issue with Android-based e-Readers, where these e-Readers are 4 years in the making, and where the issue is something I’m just learning about in recent weeks. As a security precaution, Google has toughened the requirements on the Google Play Store app, and on the Google Services app, which made numerous e-Readers, that were once proud to offer a working Google Play app, unable to connect to Google Play in the short term. This measure became effective as of March in 2018. However, certain manufacturers of such devices have been struggling to make their devices compliant with the new Google Store, and as far as I know, the BOOX Max2 which I just received, may be able to connect to the Google Play store fully.

(This posting has been revised, as of 4/14/2019, 10h15 : )

(The posting has been revised again, as of 10/24/2020, 12h45 : )

Out-of-the-box, the Max2 had a firmware version from April in 2018. But the latest Firmware update is from December in 2018.

  • I am glad to say that I found out how to set a PIN Code for this device because if there had truly been no way, then the cloud resources that I’m logged in to would be just as vulnerable, as an unlocked tablet. With the latest firmware, I found this setting under ‘Settings -> (Arrow to the Right) -> Screen Lock PIN Code’.
  • Apparently, the way to activate Google Play on this device, is now to go into “Settings -> Application” and to check “Activate Google Play”.

Instead of activating the Google Play Store, I have been focusing on using the Onyx app store for the time being. In days gone by, their in-house app store had a reputation of only offering apps in Chinese. But what the users of the Max2 can now do, is download e-Ink optimized apps in English. Those apps include the Amazon Kindle Android app.

This is a huge find for me because it also implies less of a security compromise, than what I’d have, if I was just to log the Max2 into Google Play.

I can side-load Free APK-Files to install software, and can install some additional proprietary, non-free apps from Onyx. APKs include the ‘OverDrive’ app, which allows me to check out books from my public library, in e-Book format. And what installs from the Onyx app store includes the ‘Kindle’ Android app, optimized for e-Ink. (:2)

I’ve tested both apps, and they seem to work fine.

But then again, speaking of side-loading… This can imply that files need to be transferred via USB-cable from a PC, to the device, and the device uses MTP as its protocol. There are some reports of issues in getting this to work from the Linux GUI, and I just ran in to such an issue…

(Updated 6/21/2019, 7h35 … )

Continue reading I’ve just received my 13.3″ Onyx BOOX Max2 e-Reader.