 the GPG tools package for a Mac and use it to verify the signature of a downloaded file. So previously I have downloaded the GPG Suite package and I'm going to run the installer. I want all the default options. Of course it's going to ask for my system for my password because it has install system software. It opens some help files which I'll dismiss for the moment. You probably ought to read them. So the first thing it asks you to do is to generate a new key pair. When you install GPG for the first time, it notices that you don't have a public and private key pair. GPG, or really which is an alternative to PGP, so I'll use those two terms interchangeably, is an encryption and verification system that relies on every person having two keys, a private key that they keep for themselves and a public key that everyone else can see. And it's by signing or encrypting the files with one of those two keys that both secure and verified communication can take place in a mathematically provable way. You don't have to generate a new key pair. In fact, for the moment let me cancel because we don't really need it for what I'm about to do. I'll maybe come back later and show you how to make a key pair if you want to create one. So what's the situation? Let me close the installer. I don't need that anymore. And I'll remove that. So what's the situation which you want to use GPG to verify a downloaded file? Let me go to a download directory and drive the folder I've shared. And maybe there's a very important file you want to read, lesson0.pdf. But because it's so important you're worried that maybe it got changed accidentally, maybe someone went in and changed it just to mess with you, or maybe there was just an internet hiccup when you were downloading it. You want to make sure the file you end up downloading is the same as the one that I uploaded. So here's the PDF that's super important. A preview of it. Let me download that file because after all I want it on my computer so I can work with it. So yes, I want to keep the file. It ends up in my downloads directory. Now going back to Google Drive, next to lesson0.pdf there's lesson0.pdf.ask. So the .ask indicates that this is a PGP signature for the file lesson0.pdf. So let's look at that signature and see what it looks like. So this is clearly a PGP signature. It doesn't tell me anything other than the fact that it is a signature and has this big pile of what should be essentially random characters. So I'll explain in a moment where this signature comes from, but for the moment let me download this file. And it of course also ends up in my downloads directory. So what can I do with that signature? Now that I have the GPG keychain installed I can click on that file and notice what it says verification results lesson0.pdf signed by Abraham David Smith undefined trust. The important thing here is that it says it knows what file it's talking about lesson0.pdf and knows that file has been signed by this particular person but we don't know whether or not we ought to trust that person. So what this is doing is when you click on the file lesson0.pdf.ask it's looking at that signature we just saw in the browser window, remember the signature looks like this file so it's reading this file and it's noticed, so better than this information this is a hint of who had signed the file it's then checking the internet to see what key had signed that file and who that key belongs to and then it's observing that in the same directory as the signature there's a file actually called lesson0.pdf so what it's doing is examining that file bit by bit and comparing it to what this person said that file ought to look like indeed they match the fact that this is simply a message and not a big red warning saying failure to match or a verification error or so on means that this is in fact the file that this person or the person controlling this key said it was going to be so pgp signature contains two pieces of information it tells you that the file you're looking at is the same as the one that was signed because if there's any small no matter how tiny or large the alteration is to the original file this signature should really not change at least statistically extremely unlikely as in many multiple lifetimes of the universe unlikely and it tells you who declared at that time that the file is what they said it was so there's two questions here is the file what it was claimed to be and who claimed it was that in the first place and pgp signature deals with both of those questions simultaneously how do you know who this person is who signed it how do we know that person is well in fact we open that one more time i can look at uh... or let me do that i'll let me do that so let me take you to the key which is on my web page and here's the key eighty smith pubg i asked this is this is the key i used to sign this file it's a lot of random bits it's about uh... four thousand random bits which is plenty for uh... any sort of encryption you want to do in the human world so i'm going to do is i'm going to download this file i'm going to download this file i'm going to download this file finally save page as and yes i'll call it the same thing and of course ends up in my downloads directory what i want to do from the keychain manager is i want to import that key and now it's imported now along the keys that you know about there are two of them one of them is the key from the people who wrote the software we're currently using the other one is this key by this person planning to be abraham david smith a smith wouldn't do it for my new you with this id number if you were to make your own public and private key then you could officially declare in a cryptographically secure way that you actually trust this person and then when you look at the verification it would say fully trusted or marginally trusted to indicate how much you trust this person to be honest about signing that file but for the moment this has served its purpose um... if you believe that this key really belongs to me then the file we downloaded is indeed the same as the file that i had signed let's see what happens when the file got altered so to do that let me mess with the file a little bit um... let's see, let me close that let me close that let's see so let me go to my downloads folder and let me actually do something kind of nasty i'm going to take this file and rename it let me do something pretty nasty like let me come... let me uh... let me copy it so i don't... well actually let me just delete it let's do that okay so that file is now gone and let me take some other random file like say this one here and let me make a copy of it that so that's actually a video let me make a copy of it that sir petitioner said when to call lesson zero dot pdf so now i have this other file called lesson zero dot pdf that's now a totally different file so what happens when i verify that if i now try to verify again ah lesson zero dot pdf verification failed so you know there's a problem that the file is not what the signature claim said it was so that's the sort of thing that you have to look for to see if maybe your download was corrupted or the file you got was somehow altered along the way either by you know a hard drive error it could be you know sunspots flipping bits in the memory of your computer it could be someone walked too close to your hard drive to the magnet and messed it up a little bit it could be that you know your wireless was being interfered with when you're downloading the file it could be that the web server was surreptitious it could be that there's some evil player along the way messing with your data or it could be your roommate was messing with your laptop again so all these things are possible and this verification failure tells you that something is wrong with this file so that's the main purpose i'll stop there and next time we'll talk about how to make your own key to build a web of trust of people who you trust