Let’s verify the posted Canary message
Garbled HTML Mishmash with incorrect format and many other oddities.
—–BEGIN PGP SIGNATURE—–
Version: Keybase OpenPGP v2.1.13
Comment: <a href="https://keybase.io/crypto">https://keybase.io/crypto</a></li>
</ul>
<p>wsBcBAABCgAGBQJeizoGAAoJEPQrujgXjffw75oIAJGjYi/sUnmsG18PdzQz2epe
qX/a7ctisbSNC8WaBGpuDIFHMwdpeoQIWj5Kza/9G+LfG9nQ02Lxbhdt07uj+zfD
Shg61fMld6UiOuK2dFpqfMsKYPsbZlGWOEzPoRJCbfBMRI+kvaRCtpNoLc5WcNO1
jSp67Ti3V12ytr23kArWhzz7nL3fooRPj+EkpkFEEW9XePaCZ0kE9kUsjUw+xD1G
OVV9dvb4liGDubcUlkkansxswrTVm9K3bRYt0Bwqxary6r5XfYqdidiLXSp7aHjx
mhbxdD3dAY8+Kbp+BnVE3bgE5ENw0xk5/459cgmsrZJi4taDFDeVqvAznrx1r+M=
=kugb
—–END PGP SIGNATURE—–</p>
Cleaned up signature with correct format:
-----BEGIN PGP SIGNATURE-----
wsBcBAABCgAGBQJeizoGAAoJEPQrujgXjffw75oIAJGjYi/sUnmsG18PdzQz2epe
qX/a7ctisbSNC8WaBGpuDIFHMwdpeoQIWj5Kza/9G+LfG9nQ02Lxbhdt07uj+zfD
Shg61fMld6UiOuK2dFpqfMsKYPsbZlGWOEzPoRJCbfBMRI+kvaRCtpNoLc5WcNO1
jSp67Ti3V12ytr23kArWhzz7nL3fooRPj+EkpkFEEW9XePaCZ0kE9kUsjUw+xD1G
OVV9dvb4liGDubcUlkkansxswrTVm9K3bRYt0Bwqxary6r5XfYqdidiLXSp7aHjx
mhbxdD3dAY8+Kbp+BnVE3bgE5ENw0xk5/459cgmsrZJi4taDFDeVqvAznrx1r+M=
=kugb
-----END PGP SIGNATURE-----
Now which key?
$ gpg --list-packets -
-----BEGIN PGP SIGNATURE-----
wsBcBAABCgAGBQJeizoGAAoJEPQrujgXjffw75oIAJGjYi/sUnmsG18PdzQz2epe
qX/a7ctisbSNC8WaBGpuDIFHMwdpeoQIWj5Kza/9G+LfG9nQ02Lxbhdt07uj+zfD
Shg61fMld6UiOuK2dFpqfMsKYPsbZlGWOEzPoRJCbfBMRI+kvaRCtpNoLc5WcNO1
jSp67Ti3V12ytr23kArWhzz7nL3fooRPj+EkpkFEEW9XePaCZ0kE9kUsjUw+xD1G
OVV9dvb4liGDubcUlkkansxswrTVm9K3bRYt0Bwqxary6r5XfYqdidiLXSp7aHjx
mhbxdD3dAY8+Kbp+BnVE3bgE5ENw0xk5/459cgmsrZJi4taDFDeVqvAznrx1r+M=
=kugb
-----END PGP SIGNATURE-----
# off=0 ctb=c2 tag=2 hlen=3 plen=284 new-ctb
:signature packet: algo 1, keyid F42BBA38178DF7F0
version 4, created 1586182662, md5len 0, sigclass 0x00
digest algo 10, begin of digest ef 9a
hashed subpkt 2 len 4 (sig created 2020-04-06)
subpkt 16 len 8 (issuer key ID F42BBA38178DF7F0)
data: [2048 bits]
OK, so finally I get the Key ID. Let’s get the public key:
$ gpg --recv-key F42BBA38178DF7F0
gpg: key FF55B791DAB0D433: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1
Oops! not there! But there’s another key ID. Let’s see who it belongs to:
https://keybase.io/super3
This is why I don’t like keybase.io … it’s way too complex for something that has been simple for a long time. However, after all that work trying to figure how who and what signed the message, I still haven’t verified the message yet.
Let’s finally import the keybase.io special purpose public key server key:
$ gpg --fetch-key https://keybase.io/super3/pgp_keys.asc?fingerprint=9f824b3d9bc857c790e747deff55b791dab0d433
Check signature time.
Again a Garbled HTML Mishmash:
<p>—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512</p>
<p>As of 04/06/2020, Storj Labs Inc. has never received a National Security Letter, an order under the Foreign Intelligence
Surveillance Act, or any other classified request for user information. If we ever receive such a request, we would
seek to let the public know it existed.</p>
<ul>
<li>- Nation is told to brace for a difficult week ahead</li>
<li>- Stock markets surge even as covid-19 cases near peak in parts of U.S.</li>
<li>- U.S. hospitals facing ‘severe shortages’ of equipment and staff, watchdog report says</li>
<li>- Trump blocks Fauci from answering question about drug Trump is touting</li>
<li>- Boris Johnson remains ‘under observation’ in a London hospital; aides say he continues to lead government
Clean up time:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
As of 04/06/2020, Storj Labs Inc. has never received a National Security Letter, an order under the Foreign Intelligence Surveillance Act, or any other classified request for user information. If we ever receive such a request, we would seek to let the public know it existed.
- Nation is told to brace for a difficult week ahead
- Stock markets surge even as covid-19 cases near peak in parts of U.S.
- U.S. hospitals facing 'severe shortages' of equipment and staff, watchdog report says
- Trump blocks Fauci from answering question about drug Trump is touting
- Boris Johnson remains 'under observation'; in a London hospital; aides say he continues to lead government
-----BEGIN PGP SIGNATURE-----
wsBcBAABCgAGBQJeizoGAAoJEPQrujgXjffw75oIAJGjYi/sUnmsG18PdzQz2epe
qX/a7ctisbSNC8WaBGpuDIFHMwdpeoQIWj5Kza/9G+LfG9nQ02Lxbhdt07uj+zfD
Shg61fMld6UiOuK2dFpqfMsKYPsbZlGWOEzPoRJCbfBMRI+kvaRCtpNoLc5WcNO1
jSp67Ti3V12ytr23kArWhzz7nL3fooRPj+EkpkFEEW9XePaCZ0kE9kUsjUw+xD1G
OVV9dvb4liGDubcUlkkansxswrTVm9K3bRYt0Bwqxary6r5XfYqdidiLXSp7aHjx
mhbxdD3dAY8+Kbp+BnVE3bgE5ENw0xk5/459cgmsrZJi4taDFDeVqvAznrx1r+M=
=kugb
-----END PGP SIGNATURE-----
Result:
gpg: Signature made Mon 06 Apr 2020 10:17:42 AM EDT
gpg: using RSA key F42BBA38178DF7F0
gpg: BAD signature from "Shawn Wilkinson <shawn@storj.io>" [unknown]
So… What was the original message that was signed? Maybe it wasn’t the one posted.
Plain text… or <pre></pre>
tags along with the key ID of the signature would make the verification process a lot less messy. PGP keys leak that information anyway… So, one might as well just put it up on the screen.
In any case, the basic problem still exists… The Canary statement can not be trusted. It’s presence or absence can not be used as assurance of any truthfulness of what is written in the statement, signed or otherwise.
And this is the precise point I was making other threads about the importance of not allowing any unencrypted user data onto the network. Storj is open source, and that a good thing… and having a protocol which expressly rejects unencrypted user data protects SNOs from possible future legal issues.