gmaxwell
commented
3 years ago Petertodd PR #5 does an even better job, giving a way for people who don't have their own google-signed messages from that time a way of verifying someone elses.
Open gmaxwell opened 3 years ago
gmaxwell
commented
3 years ago Petertodd PR #5 does an even better job, giving a way for people who don't have their own google-signed messages from that time a way of verifying someone elses.
A question some people will have when confirming this confirmation is if the provided key old google key is authentic. One way that you can check this is by checking if other contemporary known-google-signed messages were signed with the same key.
One way for any person who was using gmail back in 2015 to accomplish this is simply by validating one of their own received emails from on/around the date in question.
It's as simple as bringing up an email to you in gmail from around that date, clicking show original, and pasting the entire text output into a file. The file will then validate with the repo's script. (And indeed, it does for me on a couple messages I checked).
I was also able to check those messages against an old google-takeout dump of my entire mailbox.
Presumably other people have older published google-received messages from around that date, complete with headers. It might even be possible to find some in court records to convince people who don't have their own.