Digital archeology -- verifying a signed Usenet message from 1995

Lars Noodén lars.nooden at gmx.com
Sun May 17 17:51:01 CEST 2026 

On 5/17/26 17:35, Robert J. Hansen via Gnupg-users wrote:
>> What should I be looking at to work with an old version of GnuPG 
>> having sufficiently outdated cipher and checksum algorithms to verify 
>> a Usenet message¹ from 1995?
> 
> GnuPG 1.4 might be able to. But you'll need Ylönen's ClassicPGP 
> certificate, I'm afraid, and that might be hard to find.

Thanks.  I've installed GnuPG 1.4.23-2 for now.

And it looks like Tatu Ylönen's public key is there at the end of his 
message, plus there is the same key ID at pgp.mit.edu even today.  But 
that public key is not self-signed which presents a problem that I have 
tried to address¹ with the --allow-non-selfsigned-uid option.

However, if the above approach was correct, then I'm somehow approaching 
the verification incorrectly:

$ gpg1 --list-keys
/home/me/.gnupg/pubring.gpg
-----------------------------
pub   1024R/DCB9AE01 1995-04-24
uid                  Ssh distribution key <ylo at cs.hut.fi>

$ gpg1 --verify message.usenet
gpg: Signature made Wed 12 Jul 1995 05:50:42 PM EEST using RSA key ID 
961F4A35
gpg: Can't check signature: public key not found

$ gpg1 -u ylo at cs.hut.fi --verify message.usenet
gpg: Signature made Wed 12 Jul 1995 05:50:42 PM EEST using RSA key ID 
961F4A35
gpg: Can't check signature: public key not found

/Lars
---

¹ Here is the process which I used to import the key:

$ gpg1 --import --allow-non-selfsigned-uid -v ylo-public.key
gpg: keyring `/home/me/.gnupg/pubring.gpg' created
gpg: armor header: Version: 2.6.i
gpg: pub  1024R/DCB9AE01 1995-04-24  Ssh distribution key <ylo at cs.hut.fi>
gpg: key DCB9AE01: accepted non self-signed user ID "Ssh distribution 
key <ylo at cs.hut.fi>"
gpg: using PGP trust model
gpg: Invalid key DCB9AE01 made valid by --allow-non-selfsigned-uid
gpg: key DCB9AE01: public key "Ssh distribution key <ylo at cs.hut.fi>" 
imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: 1 keys cached (1 signatures)
gpg: 23 keys processed (0 validity counts cleared)
gpg: public key of ultimately trusted key 787E4228 not found
gpg: public key of ultimately trusted key 71BDB2EB not found
gpg: public key of ultimately trusted key 1011EF31 not found
gpg: public key of ultimately trusted key 653CEAE7 not found
gpg: public key of ultimately trusted key 00D026C4 not found
gpg: public key of ultimately trusted key FE35B305 not found
gpg: public key of ultimately trusted key 3845389F not found
gpg: public key of ultimately trusted key DA87EF9A not found
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: Invalid key DCB9AE01 made valid by --allow-non-selfsigned-uid
gpg: depth: 0  valid:   8  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 8u


$ gpg1 --check-sigs
/home/me/.gnupg/pubring.gpg
-----------------------------
pub   1024R/DCB9AE01 1995-04-24
uid                  Ssh distribution key <ylo at cs.hut.fi>

1 signature not checked due to a missing key

More information about the Gnupg-users mailing list