About PGP Sigs

As of February, 2004, all newly posted executable files posted on www.writelog.com are accompanied by a signature from the WriteLog Sales PGP public key. The public key itself is posted below, but please read this page before trusting the key you find there.

Why post a “signature” and what does it mean?

The reason we must do this is to provide a mechanism that WriteLog customers can use to protect themselves from the possibility of installing a file that represents itself as coming from the WriteLog team (W5XD and N9OH), but instead is a file that someone else has created. If you are interested in protecting yourself against the possibility of installing such a file–especially if that file might have been created by someone intent on obtaining your personal data from your PC but without your knowledge, please read on. On the other hand, if you always run WriteLog on a PC that has no personal data on it, and if you don’t care if that PC gets hacked even to the extent you must reinstall Windows, then you can ignore this page, as well as all the digital signature downloads on writelog.com.

As of October, 2016, WriteLog version 12 and certain other downloads are signed using two different technologies: the PGP signatures we have been using since 2004, and signatures using a Microsoft Code Signing Certificate. The mathematics behind the two technologies is roughly equivalent. What is very different is how the trustworthiness of the signature is maintained.

Note from W5XD

I don’t know about you, but I have come to depend on my PC for keeping financial and tax records, and other personal information that could be used to steal from me if someone gained access to my PC and was able to read the files on it. Recently I became aware that even licensed radio amateurs that are also computer hackers are willing to crack WriteLog’s registration code not only for the purpose of stealing a copy of the program for themselves, but even to sell the codes and software to others. Knowing that hams that are willing to steal from fellow hams these days, I can say without qualification that the Internet is “not a safe place”. It is prudent to protect yourself from people who intend to take advantage of you and steal from you by any means they can figure out. I am not going to stop using the Internet just because of the bad guys out there, but I am going to be careful what I install and run on my PC.

Even if you’re not computer savvy, there is one very important fact you need to understand about computer security: on a PC, ANY program you download and run on your PC can access pretty much ANYTHING on your PC, send copies of it over the internet to anywhere it wants to send it. This includes WriteLog! If you do not trust W5XD,, or N9OH with writing software that will not peruse your PC for personal data and transmit it over the internet, then do not double click setup.exe on any of our downloads! And this same fact goes for anything you download–if you don’t trust the source of the file, then do not run it! On the other hand, the WriteLog team thanks you, our customers, for the trust you have placed in us by your purchase.

What can you do? Unfortunately, the answer is that it is impossible to guarantee security. Given the amount of time that good security technology has been available, the computer industry–led by Microsoft, but they are not the only guilty party–has done an abysmal job solving this problem. Some day the industry will get its act together and make security, encryption and authentication intrinsic to the email, file download, and software distribution products that everyone uses, but that day hasn’t come. Therefore it takes some understanding on the part of the computer user to keep himself internet-safe. Since WriteLog is a product for amateur radio contesters, who are much more technically adept than the average consumer, the WriteLog team is providing these security features for our customers to use. If you’re a ham and you have read this far, but don’t understand what this security discussion is all about, then we recommend you follow through this process in the true ham radio tradition: learn about computer security by doing it.

How does the signature work?

From your point of view as a WriteLog customer, you see three separate files that you have to know how to combine in order to keep your WriteLog downloads safe: (a) the WriteLog public key and (b) the signature file for a given download file–named .sig, and (c) the .zip file you download containing the software itself. You need a software program (download PGP below) that reads all three of these files and verifies the signature. PGP does this verification. It combines those three files and gives you an answer, but its a very simple answer: yes or no. PGP tells you yes if the public key indeed is the key used to sign the downloaded zip file (as signed by the corresponding .sig file).

But even if PGP says yes you are not sure its a safe file yet!

The security that you get from a yes answer actually depends entirely from your own confidence that the WriteLog public key that you have (as contained in the file WriteLogSales.asc) is in fact what you hope it is. You hope it is a key that only W5XD or N9OH could have published and that no one else could possibly forge. If you are an expert cryptographer, you can entertain a discussion about the possibility of producing a forgery, but for the rest of us, until someone figures out a way to quickly factor products of large prime numbers, there really is only one possible way to forge the key that we have to worry about. The published public key might not actually have been published by the person you think published it. Your security depends on your level of confidence that the public key file that you have (in this case WriteLogSales.asc) actually was created by the WriteLog team. There is no magic answer to this question of trust. Read on.

WriteLogSales PGP Key

This link might be the authentic WriteLog Sales public key: WriteLogPurchases.asc for versions 10.77 and later, or this one for versions 10.76 and prior: WriteLogSales.asc. In fact, they actually were the authentic keys when I placed them on the website in February, 2004 and July, 2010, respectively. However, you must decide whether you trust it. There are two other ways you might get a key, and both are more trustworthy than downloading from this website. Probably the most trustworthy route available to you is is if you purchase WriteLog on CD. In that case, a copy of WriteLogPurchases.asc is on the CD (effective July, 2010). (WriteLogSales.asc on CD’s prior to version 10.76). You can be pretty sure that we actually created that CD, and that we put the copy of the key on the CD.

If, instead, you received the key by email, then you have to consider the possibility that someone substituted a different key while the email was in route to you. We cannot guarantee that did not happen.

The least trustworthy way to get a copy of the key is to download it from the link above. I knew is was good when I placed it there, and I check from time to time that it is still OK, but the possibility remains that hackers have broken into WriteLog.com and replaced WriteLogPurchases.asc with a new file that is their key and not ours, and replaced the WriteLog download .zip files with their viruses and spyware, and replaced the .sig files with their own signatures that go with their copy of WriteLogPurchases.asc! If a hacker replaces all three of those files properly, then PGP will report to you that yes the download is a verified file when in fact it is a load of virues and spyware! Remember, even if the key is good today, a hacker can break into the website tomorrow and replace it with a forgery, and all they need to produce the necessary forgery is the same PGP that you can download for free, and a hack into to writelog.com web server. Web servers get broken into every day!

The way we expect most users to deal with this key is to take a copy of the key and never overwrite the original even if new copies become available. After you have had a copy of the key for a few months and nothing bad has happened to you, then your confidence that it was good goes up. Once you have a WriteLogPurchases.asc file that you have confidence actually came from N9OH and/or W5XD, then do not replace it. Ever! The only reason to replace it is if you are 100% certain that the new key is actually authentic. (and how could that be? you thought the original was authentic!)

Where can I get PGP software?

Notice that you immediately have a problem with trust. How do you know that the websites listed below actually are going to have a real copy of PGP that you can trust? The answer is: you don’t! But if you never start the process of running trusted security software, then you will never build any confidence that you have any security. But, on the other hand, if you download, install, and run PGP for a while and nothing bad happens, then your confidence grows.

Free versions:

The GNU project has published a PGP implementation compatible with the signatures posted on writelog.com:

http://www.gnupg.org/

As of this writing (updated Oct 2, 2016) this kit has easy-to-use tools in it for verifying signatures:
https://www.gpg4win.org/download.html

Import the WriteLogPurchases.asc (and/or the WriteLogSales.asc for old versions of WriteLog)  key into gpg one of these ways (or off a key server). The import need only be done once on a machine:

If you have been using PGP before:

<path-to-gnu pg>\gpg.exe –import <path-to-pgp>/keyring/pubring.pkr -u purchases@writelog.com

Or, after downloading WriteLogPurchases.asc:

<path-to-gnu pg>\gpg.exe –import WriteLogPurchases.asc

The procedure to verify a WriteLog download is to first download both the file of interest and its corresponding .sig file to the same directory. Then this command:

<path-to-gnu pg>\gpg.exe –verify <downloaded-file-name>.sig

You need to see this in the response:

gpg: Good signature from “WriteLog Sales <purchases@writelog.com>”
(or “WriteLog Sales <sales@writelog.com>” for older versions)