The hard evidence about Craig Wright’s backdated PGP key — Step by step guide (for Windows users)

Dr Craig Wright is back in the news and there is more confusion and accusations, with many people concerned about misinformation and a lack of hard evidence. The below is a step by step guide to verify exactly what happened with Craig Wright’s supposedly backdated PGP key.

Step 1 - View the PGP key fingerprint in the Tulip Trust document

The Tulip Trust document can be seen below, it contains 4 PGP key fingerprints.

The third fingerprint, generated by Craig Wright, is the subject of this guide and is the one which is alleged to have been backdated.

0AC1 8AFE 1F8D 3512 BE15 6909 B18B BF41 1F55 6274

Step 2 - Find the PGP key on MIT’s server

Visit the MIT PGP Public Key Server here and search for “0xb18bbf411f556274”. The results should look like this:

This shows that the date the key was supposedly created on was 17th January 2008. You can then click through to see the public key block:

You can then download the key to your local system. For example by downloading the following file.

Step 3 - View the details of the key

On Windows, you can then install the following program:

https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.19_20170328.exe

Then open “gpa.exe” and go to the “Keyring” to import Craig Wright’s PGP key, which you downloaded in step 2.

Then go to Start > Run and type “cmd”. In the command window, type:

gpg --export 1F556274 | gpg --list-packets

You should then see something that looks like this:

The above output mentions:

hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)

The numbers are a list of hash functions used. The numbers represent the following:

8 = SHA256
2 = SHA-1
9 = SHA384
10 = SHA512 
11 = SHA224

Step 4 - Verify when this list of ciphers was specified

View the commit here. You can see these ciphers being added to the PGP software.

Please note, the comments mention that:

Ordering SHA-1 before SHA-384 might be viewed as a bit strange

This commit occurred in July 2009, around 18 months after Dr Wright’s PGP key was supposedly generated.

Conclusion

The above steps demonstrate that Craig Wright recorded the creation date of his key as January 2008 and ciphers were used which were only specified in July 2009. This suggests the key creation date is inaccurate.

Craig Wright could have manually specified these ciphers back in 2008, however there is no reason for him to have done that. Also, if Mr Wright had manually specified these ciphers, it is a remarkable coincidence that these same exact algorithms (in the same order) were then specified 18 months later as the software default. Actually, given the number of algorithms available, one can estimate the probability of this coincidence occurring as 1 in 13,692.

This coincidence event, is exactly what is claimed in the following paper. In-fact, the paper even demonstrates how one could create a PGP key with these newer ciphers, back in 2008:

At hoaxChain, we maintain that this remarkable coincidence occurred. However, what you choose to believe, is up to you…