All HTML pages of the CIRCL website are PGP signed with CIRCL’s general PGP key.
GPG/PGP fingerprint: CA57 2205 C002 4E06 BA70 BE89 EAAD CFFC 22BD 4CD5
There is a link “PGP signature of this page” at the bottom of each page which is a detached PGP signature of the actual HTML document. The location of the detached signature is the same url as the signed page with the suffix .asc appended.
How To Verify a CIRCL Web Page
If you would like to verify a page, especially a page containing hashes to binary files like in the CIRCLean project.
First, download the page over TLS that you would like to verify:
curl https://www.circl.lu/projects/CIRCLean/index.html >index.html
Then download the corresponding PGP detached signature:
curl https://www.circl.lu/projects/CIRCLean/index.html.asc >index.html.asc
Finally, you can verify the signature for the web page using GnuPG with the following command:
gpg --verify index.html.asc index.html
If the verification is successful, the output contains that the signature is good:
gpg: Signature made Tue 12 Aug 2014 09:13:33 AM CEST using RSA key ID 22BD4CD5
gpg: Good signature from "CIRCL <info@circl.lu>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: CA57 2205 C002 4E06 BA70 BE89 EAAD CFFC 22BD 4CD5
In any other case the result is a failed verification, mentioning the bad signature:
gpg --verify index.html.asc index.html
gpg: Signature made Tue 12 Aug 2014 09:13:33 AM CEST using RSA key ID 22BD4CD5
gpg: BAD signature from "CIRCL <info@circl.lu>"
When you encounter this issue, you should verify the integrity of your download process. If the problem persists, you can contact us.