≡ Menu

How to Digitally Sign a File in Linux using GnuPg (Digital Signatures)

As many organizations move away from paper documents to digital documents, digital signatures are required to manage any sensitive digital documents. Digital signatures can be used to authenticate the source of the message, such that the receiver can decide whether to trust the sender or not. Now-a-days it is most widely used for software distribution and financial transactions.

In public key cryptography, it is possible to use a private key to sign a file. Anyone who has the corresponding public key can check whether the file was signed by the private key. Anyone who doesn’t have the private key cannot forge such a signature.

Digital signatures can be used for sender authentication and non-repudiation. The signer can’t claim that they didn’t sign the document.

Now-a-days, digital signatures plays a key role in software distribution. When you install any software from debian mirror, once the software is downloaded, it will verify whether the software is from a trusted source by verifying the signature, thus ensuring that the package is from a trusted source.

Now, we will see the various methods to sign documents using GnuPG tool.

If you are new to GnuPG tool, you should first understand how to use the basic gpg commands.

A digital signature, certifies and timestamps a document. If the document is altered in any way, a verification of the signature will fail.

1. Create digital signature for a file

To digitally sign a document –sign option is used. You will be asked to enter your passphrase to unlock the private key which is used for signing the document.

$ gpg --sign file.txt

You need a passphrase to unlock the secret key for
user: "lakshmanan (This is lakshmans key) "
2048-bit RSA key, ID 3630F8D6, created 2012-12-30

Enter passphrase:

Now it will create a file named “file.txt.gpg” in binary format. The input file is compressed before signing the file.

2. Verify digital signature

Given a signed document, you can verify the signature using –verify option.

$ gpg --verify file.txt.gpg

gpg: Signature made Saturday 12 January 2013 11:17:46 PM IST using RSA key ID 3630F8D6
gpg: Good signature from "lakshmanan (This is lakshmans key) "

The above command verifies that the signature made is good.

3. Extract the document from the file

To extract the original document from the signed file, use –decrypt option. You can use the –output to specify the output file to store the actual file contents.

$ gpg --output doc.txt --decrypt file.txt.gpg

gpg: Signature made Saturday 12 January 2013 11:17:46 PM IST using RSA key ID 3630F8D6
gpg: Good signature from "lakshmanan (This is lakshmans key) "

Now the actual document will be saved in doc.txt file.

4. To clear sign the documents

A common use of digital signatures is to send E-Mails. In such a case, it is not desirable to compress the file in binary and sign it. You can use –clearsign option to make the file wrapped within ASCII armored signatures.

$ gpg --output file.sig --clearsign file.txt

Now a ASCII file named file.sig will be created which contains the digital signature and the file itself.

$ cat file.sig

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a test file
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJQ8af1AAoJEHUf3BE2MPjWJ6QIAIoM7vZlvVD4PR4TgqKkUAr5
S4Pc/7tjkEquBcPfzHgm6MPdTd7kIvUzwHNkkST0FyB2cLzvx8wNf7Zp/kDYL0Uz
/7UCocMPsDBYHasUY4XRfCDUkF0ER/NAFdiL9AUTvQf6oQxwuQG9sWxb6tcK8eiV
U7BBvQvMl6RszP+e7VXgcDbNeYMrTDwrivP9BKwAFuBtZmRg0vQKnjenUyVJL6gJ
tndkwtOd1XGpc5ZKCTRSKOoTonuUQAD1q0Pi6nmeaNskSqwVOxzQcV6lQ8nHJTh2
XfKSAopNriv405YfC1KO5H2Ffzee2jx+o3HqxfU1vQbHtP7uf4QqxUc2HtDnRNQ=
=PN+K
-----END PGP SIGNATURE-----

Verifying the clear signed document is similar to verifying the binary signed document.

5. Create detached signature

In case of detached signatures, a new file is created as signature. You can use –detach-sign option to create a detached signature.

$ gpg --armor --detach-sig file.txt

Now a ASCII file named file.txt.asc will be created which contains the detached signature. You can using –output to change the detached signature file name.

6. Verify the detached signature

In order to verify a detached signature, you need to have both the signature file and the data file.

$ gpg --verify file.txt.asc file.txt

gpg: Signature made Sunday 13 January 2013 12:13:59 AM IST using RSA key ID 3630F8D6
gpg: Good signature from "lakshmanan (This is lakshmans key) "

Let’s try editing the file.txt. Add some content to the file.txt and try verifying the signature.

$ echo "Append" >> file.txt

$ gpg --verify file.txt.asc file.txt
gpg: Signature made Sunday 13 January 2013 12:13:59 AM IST using RSA key ID 3630F8D6
gpg: BAD signature from "lakshmanan (This is lakshmans key) "

Now the verification got failed saying BAD signature since the content is modified.

7. Encrypt and Sign a document

In one of our previous post, we also discussed in detail about how to encrypt and decrypt a file using GnuPG. But, if you want to encrypt and sign a document at the same time, do the following:

$ gpg --sign --encrypt --recipient raman file.txt

The above command encrypts the file.txt and sign the document digitally. The recipient can verify the signature and decrypt the document using –decrypt option.

Add your comment

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

Comments on this entry are closed.

  • Bob April 1, 2013, 9:13 am

    Thanks for the good article. Learned something new today…

  • Jalal Hajigholamali April 1, 2013, 9:14 am

    Hi,
    Thanks a lot
    Very nice and useful article
    Thanks again

  • pathum April 2, 2013, 9:38 am

    Nice post …

  • Biswajit Sahoo April 3, 2013, 1:24 am

    Good and descriptive information……Thanks a lot!!!

  • Anonymous April 8, 2013, 9:03 am

    Great post!!

  • Nicolas Jimenez March 3, 2015, 12:28 am

    Great! Thanks, can you please help me. I need to obtain the SHA-1 of my public key. how can achieve it?

  • Edwin March 15, 2015, 11:56 pm

    Hi,

    Just want to very, very sure. Is it safe to try the above commands?

    Does this work only for when both parties will be using the same gpg command?

  • Anagha June 26, 2015, 1:27 am

    Hello Can the verify utility be able to verify keys generated by any other security API methods i.e. key other than those generated by gpg –gen-key