'nother n00bie Q: Verifying the DSA signature?
Dan Lyke
danlyke at flutterby.com
Fri May 20 11:59:17 PDT 2005
so I retrieve the public key with:
GET 'http://www.livejournal.com/misc/openid.bml?openid.mode=getpubkey' > sigfile.sig
And I've used LiveJournal to generate a referer back to my app at
http://danlyke.gamahuche.com/openid.cgi which has given me:
openid.mode: id_res
openid.assert_identity: http://www.livejournal.com/users/danlyke/
openid.sig MCwCabcVttGPXYZuML6vsHIYmKZZZZSUeAhR4JZEY9lLAYVxmbkrRNWWlt8ZPDw==
openid.timestamp 2005-05-20T18:30:09Z
(sig obfuscated because I'm not sure I fully understand the
implications of disclosure)
Which I've built into a signed string of:
2005-05-20T18:30:09Z::assert_identity::http://www.livejournal.com/users/danlyke/::http://danlyke.gamahuche.com/openid.cgi
Now how do I verify this silly thing?
As a stupid guess, I've tried munging it back into a file that looks
like:
-----BEGIN PmungedtonotscrewupemailersGP SIGNED MESSAGE-----
Hash: DSA
2005-05-20T18:30:09Z::assert_identity::http://www.livejournal.com/users/danlyke/::http://danlyke.gamahuche.com/openid.cgi
-----BEGIN PmungedtonotscrewupemailersGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
MCwCabcVttGPXYZuML6vsHIYmKZZZZSUeAhR4JZEY9lLAYVxmbkrRNWWlt8ZPDw==
-----END PmungedtonotscrewupemailersGP SIGNATURE-----
and running "gpg --verify sigfile.sig signedfile"
And I'm getting
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
I should probably just wait for Brad's Perl code, but this was making
a great distraction from figuring out inverse spline motion
projections on 4 dimensional hyperspheres (no, really... I kid you
not).
Sigh. Back to the hyperspheres.
Dan
More information about the yadis
mailing list