Verify Integrity of CIRCL Web Pages

Verify Integrity of CIRCL Web Pages

  1. How To Verify a CIRCL Web Page

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

All HTML pages of the CIRCL website are PGP signed with CIRCL’s general PGP key.

GPG/PGP fingerprint: CA57 2205 C002 4E06 BA70 BE89 EAAD CFFC 22BD 4CD5

There is a link “PGP signature of this page” at the bottom of each page which is a detached PGP signature of the actual HTML document. The location of the detached signature is the same url as the signed page with the suffix .asc appended.

How To Verify a CIRCL Web Page

If you would like to verify a page, especially a page containing hashes to binary files like in the CIRCLean project.

First, download the page over TLS that you would like to verify:

curl https://www.circl.lu/projects/CIRCLean/index.html >index.html

Then download the corresponding PGP detached signature:

curl https://www.circl.lu/projects/CIRCLean/index.html.asc >index.html.asc

Finally, you can verify the signature for the web page using GnuPG with the following command:

gpg --verify index.html.asc index.html

If the verification is successful, the output contains that the signature is good:

gpg: Signature made Tue 12 Aug 2014 09:13:33 AM CEST using RSA key ID 22BD4CD5
gpg: Good signature from "CIRCL <info@circl.lu>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: CA57 2205 C002 4E06 BA70  BE89 EAAD CFFC 22BD 4CD5

In any other case the result is a failed verification, mentioning the bad signature:

gpg --verify index.html.asc index.html
gpg: Signature made Tue 12 Aug 2014 09:13:33 AM CEST using RSA key ID 22BD4CD5
gpg: BAD signature from "CIRCL <info@circl.lu>"

When you encounter this issue, you should verify the integrity of your download process. If the problem persists, you can contact us.