cmdshell-clear

Keys

Public Site Keys

zenith@cmdshell.uk 2025-08-16 Expires: 2026-08-17

Revoked Keys

None currently revoked.

What is all this for?

This is a means to authenticate posts as having been written by Z3n!th, the website owner, and that they remain unaltered and accurate to the original wording. It is a small concern, but a show of faith in what is written, and an example of how the techniques this blog often talks about can be used to better validate our content.

How the keys are made

I tend to use GnuPG keys so you will need to install that first, once you've done that the command looks a bit like this:

gpg --gen-key

It generates a private key and a public key file for me to distribute.

How the manifests are signed

Generation of the hash

It's generally done as part of the signing process by defining a detached signature, but you can generate the hash of the manifest like so:

(Get-FileHash manifest.yml).Hash

Signing the hash

gpg --output manifest.yml.sig --detach-sig --sign --default-key zenith@cmdshell.uk .\manifest.yml

How to get the public key

There are two ways to get the public key, first of all it should be listed above and you can simply download it. Secondly you can download the Zenith logo that comes with the post and extract it from that.

Extracting the key

For this step you will need to install steghide

steghide --extract -sf logo.jpg -xf output.pub

The passphrase is Z3n!th and it should produce a public key.

Importing the key

You can then import this key with:

gpg --import output.pub

How to verify the signature

To verify the signature you will need a copy of the original manifest given at the bottom of the post you wish to validate, its accompanying signature, and a copy of the public key associated with this post imported into your keyring. Please note older posts may use out of date keys, so long as the key was valid at the time of publishing the signature can be considered valid. Signatures can be verified like so:

gpg --verify .\manifest.yml.sig .\manifest.yml

This will confirm that the signature matches a public key in your keyring, and that the hash matches that of the manifest. If this is true and the manifest correctly represents the post in question, you can reliably confirm the post is accurate as posted by me without alteration.