I've updated the pizzagate research git repository again , and I've added a way to double check files haven't been tampered with.
Every time I update the repository I'll make an index of all files as well as their unique file hashes using hashdeep, and then clearsign this report using PGP key
0x6149e199ee21159c and save that as filehashes.ausbitbank.txt .
Now we have unique fingerprints for every file in the archive (md5 and sha256) saved to an index - and a way to verify if someone has tampered with the index .
View the hash index on gitlab
To check the signature file with GPG
1 ) Import my public key from a keyserver :
gpg --keyserver pgp.mit.edu --recv-keys 0x6149e199ee21159c
2 ) Verify the signature
gpg --verify filehashes.ausbitbank.sig
A valid clearsigned file will say this :
gpg: Signature made Thu 08 Dec 2016 10:40:59 PM AEDT using RSA key ID EE21159C
gpg: Good signature from "AusBitBank AusBitBank@gmail.com"
To manually verify file hashes against whats in the index
Hashes are saved in the index in this format
Linux users can get the sha256 hash for any file using :
For example :
Gives this result :
You can then lookup that hash in the index to verify it matches.
This command combines 2 steps, calculates the unique hash, and then grep/searches for that hash in the index.
grep "`sha256sum rest-in-peace/aaron-swartz.jpg|cut -f1 -d" "`" filehashes.ausbitbank.txt
If you get no result, the hash didn't match anything in the index .
If the hash matches anything, it will dump the matching lines from the index like this example:
It's manual for now, but it's better then nothing imho . I'd like to automate verification, and find a way to also generate sha256-256 hashes in the format used by IPFS , since I expect the censorship of this info will only escalate..
I'm open to suggestions for better / more secure ways to do this!