A Practical Guide to GPG – Part 4 Digital Signature
Previous 3 parts of this GPG tutorial series covered GPG encryption. In this part, we will take a look at how to use GPG for signing.
GPG can sign a document without encrypting it.
Sometimes you may want to send somebody a document and you don’t care whether the content is confidential but you want to make sure that the person receives it knows it comes from you and also hasn’t been changed. The integrity of the document is intact. We can do so by signing a document with our private key.
Sign with your private key:
gpg --clearsign <filename>
The clearsign option means make a clear text signature. The content in a clear text signature is readable without any special software. OpenPGP software is only needed to verify the signature.
Notice that you will use your private key to create the digital signature so you need to provide a passphrase to unlock your private key. When the command is completed, a new file with .asc extension is created.
There’re some interesting tidbits you can get from this .asc file. So open it up in your text editor. You will find the hash algorithm used. In my case GPG used SHA256 as the hash algorithm which is strong enough. Note that SHA1 is obsolete. The PGP signature is placed right after the original content.
The plaintext file is first hashed, then your private key is used to sign the hash.
Verify the Signature
I had imported my public key to my remote Debian box. So I will send this signed document to Debian and verify the signature on Debian.
scp <filename.asc> [email protected]:~
Now log into Debian.
The verfication does two things. It make sure that the file has not been changed somehow in transit. There’s a hash caculated and then the hash is signed with private key. By signing with the private key, it allows the recipient to determine the authenticity of the sender.
Verify the signature with following command:
gpg --verify <filename.asc>
During the verifcation process, gpg determines what key (key ID) is used to sign the document and then use the corresponding public key from public keyring to verify the signature.
gpg: Signature made Mon Feb 1 23:53:44 2016 EST using RSA key ID 4F0BDACC gpg: Good signature from "Xiao Guoan <[email protected]>"
It says it’s a good signature. So the verification is successful.
Signing and Encrypting
If we want to make sure that the authencitiy of the sender is checked as well as the integrity of the encrypted message and we want to provide confidentiality, use the below command:
gpg --armor --recipient <user-id> -e --sign <filename>
You need a passphrase to unlock the secret key for user: "Xiao Guoan <[email protected]>" 2048-bit RSA key, ID 0F8BBD66, created 2016-02-02 Enter passphrase:
You need to enter your passphrase to unlock private key. It combines the commands to sign and encrypt in one step. It first sign the docuement with your private key, then encrypt it with the recipient’s public key.
First it’s going to sign the message because we want the hash caculated with raw file, not the encrypted file. Then the hash is signed with our private key.
Decrypt and Verify
The decrypt process will automatically verify the signature.
gpg --decrypt <filename.asc>