Date: prev next · Thread: first prev next last

On Tue, Sep 2, 2014 at 3:36 PM, Italo Vignoli <> wrote:
Pete Stephenson wrote:

Users should download the keylist (which is also signed by my PGP key,
0x85EB9F44), compute the SHA256 and RIPEMD160 hashes of the list in
accordance with the directions, print out the last, and write the
hashes they computed in pen on the list. These hashes will then be
compared with the hash computed by me, which I will display at the
KSP. This way people can be assured that the list they printed out
matches precisely with the official list and there's been no

This is beyond my technical skills. I have uploaded the key to the
keyserver, using the Terminal, but this has already represented a huge
effort on my side. I do not use the Terminal, as I am a normal user, so
I will be coming to the party but do not expect hashes (maybe ashes...)
from me.

Hi Italo (and others attending the conference and KSP),

Command-line GPG commands can be arcane and daunting if you're not
familiar with it. Sorry. :/

I was going to write up some detailed how-to guides with images and
put them online, but I've been a bit busy with a new baby and haven't
had the time yet. I'll try to have some guides up later tonight.

I'll try to explain how to download and calculate the hashes on the
keylist in a step-by-step manner for the Mac. Fortunately, it only
involves executing three commands from the terminal which you can
copy-paste from this message.

1. Open the Terminal.

2. Download the keylist by executing the following command in the Terminal:

curl ""; -o ksp-libo2014.txt

That command will download the keylist and save it as
"ksp-libo2014.txt" in your home directory. Keep the Terminal open for
the time being.

3. Open the keylist file in a text editor (TextEdit is the default
text editor for Mac OS X) and print it out. (I assume that you know
how to open and print text files.) After printing it, close TextEdit.

4. Back in the Terminal, compute the hashes of the keylist by running
these two commands one after the other:

gpg --print-md SHA256 ksp-libo2014.txt

gpg --print-md RIPEMD160 ksp-libo2014.txt

You should hand-write the hashes in the spaces provided in the printed
keylist and bring it with you to the keysigning party. At the party
I'll display the hashes I calculated when the keylist was generated --
they should match exactly with those that you've computed.

This provides a strong assurance that the keylist you printed out is
exactly the same as the official one and makes life considerably
easier: rather than verifying the fingerprint on each key separately,
you'd just need to verify (1) that your key's fingerprint on the list
is correct, (2) the hashes of your copy of the list match the hashes I
display at the keysigning party, and (3) each person on the list
attests at the keysigning party that their fingerprint on the list is

Here's an example of what it looks like from my terminal (I'm using
Linux, but it should look essentially the same for a Mac):

pete@kaylee ~ $ curl
""; -o
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 10933  100 10933    0     0  58082      0 --:--:-- --:--:-- --:--:-- 79224
pete@kaylee ~ $ gpg --print-md SHA256 ksp-libo2014.txt
pete@kaylee ~ $ gpg --print-md RIPEMD160 ksp-libo2014.txt

Hopefully that straightens things out a bit. If you have any other
questions, let me know.


Pete Stephenson

To unsubscribe e-mail to:
Posting guidelines + more:
List archive:
All messages sent to this list will be publicly archived and cannot be deleted


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.