PGP — or “Pretty Good Privacy”– is a message format that’s used to sign and/or encrypt documents. In fact, this is relevant to you in the Off-Label OS user experience so pay attention. GnuPG is an implementation of PGP. More specifically, it’s a free software version of software that is defined in a specification document (RFC-4880) but often implemented as a commercial software product. Gnu, however, is a name you should get to know, if you don’t already, because Gnu basically always implies free software (copyleft). And so GnuPG is the free version of PGP. Are you with me so far?
PGP (or GPG, in our case) can be used to sign documents, like I mentioned. What this means is that if I have a PGP key pair, I use my keys to sign a document, which is exactly what I did with the OffLabelOS.zip file that I made available for download. You see, once I make a zip file, what’s to stop someone else from modifying it and distributing it as if it were the original? The ansewr is PGP.
Now, it’s typically (and awesomely) used for encrypting files; PGP can be used to scramble file contents so that only the intended recipient’s key can decrypt the file and view the contents in plain text. But that’s not what we’re doing with it.
What we’re doing is just signing. Signing the file uses our PGP keys to certify the file contents at a specific time. If the file is modified in any way after this, the signature verification will fail. In our case, we’re verifying OffLabelOS.zip with OffLabelOS.sig.
The way to do this is:
1. Download OffLabelOS.zip in its entirety.
2. Download OffLabelOS.sig
3. Open your terminal / command line program (terminal in mac, cmd in windows)
4. Download my public key:
gpg --recv-keys 8F1D6125
5. Verify that key’s fingerprint is: 2011 83C3 1C8D B187 D019 2065 0040 1F2F 8F1D 6125
6. Verify the signature:
gpg --verify OffLabelOS.sig OffLabelOS.zip
Now you’re ready to proceed and
unzip OffLabelOS.zip before you
cd OffLabelOS and