Artikelbild

4 Min Druckversion

What are digital signatures and how do I check them?

A (new) feature of Content Nation is digital signatures for articles.
Here's an explanation of what they are, why they exist on Content Nation, and the benefits for authors and readers.

What are digital signatures?

Digital signature are complementary to signatures in "real" life, these digital signatures can prove not only who signed it, but additionally what was signed.
The whole thing works on the basis of asymmetric mathematical functions.
Explained in layman's terms:
The content is converted from a long text into a comparatively short version by means of mathematical functions (hashing). This hashing is not reversible, i.e. the original version cannot be reconstructed from the short version. But if even one character changes in the original, a completely different result comes out.
For experts:
Content Nation uses SHA-384 for hashing, the text to be hashed can be viewed and checked. See below.
For everyone:
After this short "version" is generated, it is signed, i.e. signed by the author.
This is done with an asymmetric procedure. For this there is a private key and a public key.
The private key is, as the name implies, private and secret. It should be kept safe and should not be given to anyone. Here on Content Nation, the key is generated in the internal profile admin area and stored in the browser. It is also explicitly stated to store it securely.
The private key now encrypts (or rather signs) the short version. The result is the signature.

The public key is used to verify the digital signature. This is now used to decrypt the signature. This only works if the public key belongs to the private key, otherwise the result is wrong. Afterwards, the content to be checked is "shortened" using the same hashing. If the decrypted signature and the hashing result are identical, then this text was signed and signed.

Analogous to the signature of the content by the author, a subsequent signature is made by Content Nation. There is then further info in it, such as publication time and URL.

Why are there digital signatures on Content Nation?

Many authors know the problem of content copying. There, parts or even whole texts are "recycled" by other people or also known as a quote without mentioning sources.

With these signature functions it is now possible to check a) who created the text (content signature). But also when and where it was published on Content Nation (Content Nation signature).

If someone now goes and "quotes" your text, the signature can prove that you have published the text before the time of the copy.

So it is a protection for you as well as for your readers.

 

How do I check the digital signature?

Attention, now it gets a bit technical.
Here is a guide for Linux, presumably it works the same way on Windows and macOS if you have the appropriate command line tools of OpenSSL installed.

Check content signature

At the end of an article where the signature is enabled, there are the 2 signatures for content and publication.
Below that there is a link to expand more information.
The first box displays the text for the content signature. This is the title of the article, content, tags and author name if specified.
However, the article content is edited a bit beforehand. All styling (headings, text formatting, etc.) is removed and all spaces and line breaks are replaced with single spaces.
For the experts:

document.querySelector('#content>.content').textContent.replace(/\s+/g, ' ').trim();

Now copy the content of the box into a file. Attention, no line break at the end. Save as content.txt . Other names are of course also possible, just adapt the code snippets accordingly.
Next you need the public key of the profile, which is linked below the box. Here in the example the dbe882dbe12bdf7f3262f63ecf58de79.pem (the signature for the help).
The last thing you need is the signature itself. Copy it and save it e.g. as signature.txt .

Please make a line break at the end of the file. It's stupid that it's different, but I can't change the tools.
The tools we use need this signature as binary file. So we have to convert it:

openssl base64 -d -in signature.txt -out signature.bin

Now we can verify the signature:

openssl dgst -sha384 -verify dbe882dbe12bdf7f3262f63ecf58de79.pem -signature signature.bin content.txt

If everything is OK, there should be

Verified OK

should be there.
If not, check whether a line break has crept in at the end of the signature.txt. Some editors do this automatically.

Analogously, the Content Nation signature is also checked. The content of the signature is in the second box, the steps are basically identical.
It contains the signature of the content, the unique ID of the public key, publication time and, if available, the last change and finally the URL.
Only the public Content Nation key is required. It is also linked under the box.
Here now again convert signature to binary:

openssl base64 -d -in signature.txt -out signature.bin

and check signature

openssl dgst -sha384 -verify contentnationpublickey.pem -signature signature.bin contentnation.txt

Digitale Signaturen des Artikels

Was sind die digitalen Signaturen und wie prüfe ich die?
Inhalts-Signatur:
MGYCMQDqa5GhQdBZ0OsEM/HuAxlXpWKn4N/k1OZcctX/81ykbKhWk2Utomq744xTsHl2FpUCMQD7bRX2lP1RdA7I4062CE1ArQLHxcX+JSPPTRP2DFPHUonLQlRTRigmX3oRYjzqaCM=
Content Nation Signatur
MGUCMEcYhPqe+dJT/odD7AwyUOAL6/jWQH90XYY5kuxFEgQwiAhvl/wK6+GCjc8DTCdz8gIxAInvCUGvOIDQXi0b94c6Mthb2lvTuf0PJao676EEEAqJZXkyl9QXVQHkmnm7rVmtRw==

Mehr Signatur-Informationen