As many organizations move away from paper documents to digital documents, digital signatures are required to manage any sensitive digital documents. Digital signatures can be used to authenticate the source of the message, such that the receiver can decide whether to trust the sender or not. Now-a-days it is most widely used for software distribution and financial transactions.
In public key cryptography, it is possible to use a private key to sign a file. Anyone who has the corresponding public key can check whether the file was signed by the private key. Anyone who doesn’t have the private key cannot forge such a signature.
Digital signatures can be used for sender authentication and non-repudiation. The signer can’t claim that they didn’t sign the document.
Now-a-days, digital signatures plays a key role in software distribution. When you install any software from debian mirror, once the software is downloaded, it will verify whether the software is from a trusted source by verifying the signature, thus ensuring that the package is from a trusted source.
Now, we will see the various methods to sign documents using GnuPG tool.
If you are new to GnuPG tool, you should first understand how to use the basic gpg commands.
A digital signature, certifies and timestamps a document. If the document is altered in any way, a verification of the signature will fail.
1. Create digital signature for a file
To digitally sign a document –sign option is used. You will be asked to enter your passphrase to unlock the private key which is used for signing the document.
$ gpg --sign file.txt You need a passphrase to unlock the secret key for user: "lakshmanan (This is lakshmans key) " 2048-bit RSA key, ID 3630F8D6, created 2012-12-30 Enter passphrase:
Now it will create a file named “file.txt.gpg” in binary format. The input file is compressed before signing the file.
2. Verify digital signature
Given a signed document, you can verify the signature using –verify option.
$ gpg --verify file.txt.gpg gpg: Signature made Saturday 12 January 2013 11:17:46 PM IST using RSA key ID 3630F8D6 gpg: Good signature from "lakshmanan (This is lakshmans key) "
The above command verifies that the signature made is good.
3. Extract the document from the file
To extract the original document from the signed file, use –decrypt option. You can use the –output to specify the output file to store the actual file contents.
$ gpg --output doc.txt --decrypt file.txt.gpg gpg: Signature made Saturday 12 January 2013 11:17:46 PM IST using RSA key ID 3630F8D6 gpg: Good signature from "lakshmanan (This is lakshmans key) "
Now the actual document will be saved in doc.txt file.
4. To clear sign the documents
A common use of digital signatures is to send E-Mails. In such a case, it is not desirable to compress the file in binary and sign it. You can use –clearsign option to make the file wrapped within ASCII armored signatures.
$ gpg --output file.sig --clearsign file.txt
Now a ASCII file named file.sig will be created which contains the digital signature and the file itself.
$ cat file.sig -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is a test file -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJQ8af1AAoJEHUf3BE2MPjWJ6QIAIoM7vZlvVD4PR4TgqKkUAr5 S4Pc/7tjkEquBcPfzHgm6MPdTd7kIvUzwHNkkST0FyB2cLzvx8wNf7Zp/kDYL0Uz /7UCocMPsDBYHasUY4XRfCDUkF0ER/NAFdiL9AUTvQf6oQxwuQG9sWxb6tcK8eiV U7BBvQvMl6RszP+e7VXgcDbNeYMrTDwrivP9BKwAFuBtZmRg0vQKnjenUyVJL6gJ tndkwtOd1XGpc5ZKCTRSKOoTonuUQAD1q0Pi6nmeaNskSqwVOxzQcV6lQ8nHJTh2 XfKSAopNriv405YfC1KO5H2Ffzee2jx+o3HqxfU1vQbHtP7uf4QqxUc2HtDnRNQ= =PN+K -----END PGP SIGNATURE-----
Verifying the clear signed document is similar to verifying the binary signed document.
5. Create detached signature
In case of detached signatures, a new file is created as signature. You can use –detach-sign option to create a detached signature.
$ gpg --armor --detach-sig file.txt
Now a ASCII file named file.txt.asc will be created which contains the detached signature. You can using –output to change the detached signature file name.
6. Verify the detached signature
In order to verify a detached signature, you need to have both the signature file and the data file.
$ gpg --verify file.txt.asc file.txt gpg: Signature made Sunday 13 January 2013 12:13:59 AM IST using RSA key ID 3630F8D6 gpg: Good signature from "lakshmanan (This is lakshmans key) "
Let’s try editing the file.txt. Add some content to the file.txt and try verifying the signature.
$ echo "Append" >> file.txt $ gpg --verify file.txt.asc file.txt gpg: Signature made Sunday 13 January 2013 12:13:59 AM IST using RSA key ID 3630F8D6 gpg: BAD signature from "lakshmanan (This is lakshmans key) "
Now the verification got failed saying BAD signature since the content is modified.
7. Encrypt and Sign a document
In one of our previous post, we also discussed in detail about how to encrypt and decrypt a file using GnuPG. But, if you want to encrypt and sign a document at the same time, do the following:
$ gpg --sign --encrypt --recipient raman file.txt
The above command encrypts the file.txt and sign the document digitally. The recipient can verify the signature and decrypt the document using –decrypt option.