GPG : Signing / verifying

GPG Index

As seen in a former article gpg can be used to encrypt and decrypt a message or file. Important to realise…you don’t need a password/passprase to encrypt. As soon as you posess the public key of the user you want to encrypt for, you can do just that.

That leaves us with the problem of deciding whether a message/file is really from the one it claims it from.

If f.i. blake hacked Alice’ system and starts mailing (or sending files) in her name, just encrypting is not the answer. Luckily gpg also provides signing (and verifying) messages. If I write a message and sign it, that’s done with my provate key, which is password protected. So if I want to send a file and want to sign it, I need to know the password. And since we do not have our passwords on post-it notes on our monitor, I’m the only one who can possibly know this password, hence….the message must be send by me.

On the receiving part, if I have the corresponding public key, I can verify whether a message is signed with that private key. Let’s see that in action.

The scenario: Alcie has a message she sends to Bob which she wants to sign:

[alice@radijs ~]$ cat alice.txt
Alice wrote this

Really....Alice wrote this...you have to believe me.

[alice@radijs ~]$

Anyone can do this…If Bob needs to be sure that Alice actually did write this message, Alice has to sign it, with her private key.

Let’s do just that :

[alice@radijs ~]$ gpg --sign alice.txt 
                                       <<== password interaction
[alice@radijs ~]$ ls -altr alice.txt*
-rw-rw-r--. 1 alice alice  73 28 nov 11:04 alice.txt
-rw-rw-r--. 1 alice alice 398 30 nov 17:19 alice.txt.gpg
[alice@radijs ~]$ 

There it is: a signed file. Let's send that file over to Bob and verify it:

[bob@radijs ~]$ gpg --verify alice.txt.gpg 
gpg: Signature made ma 30 nov 2020 17:19:39 CET
gpg:                using RSA key 9B40B1BC71AD2D212D316CEEDA65161857B73DD7
gpg: Good signature from "Alice " [ultimate]
[bob@radijs ~]$ 

That' looks promising. Thing is....what was actually signed?

[bob@radijs ~]$ gpg --decrypt alice.txt.gpg 
Alice wrote this

Really....Alice wrote this...you have to believe me.


gpg: Signature made ma 30 nov 2020 17:19:39 CET
gpg:                using RSA key 9B40B1BC71AD2D212D316CEEDA65161857B73DD7
gpg: Good signature from "Alice " [ultimate]
[bob@radijs ~]$

OKay...verify only verifies the signature, decrypt also shows the (embedded) message/file.

Another option is --clear-sign. This command will embed the document in clear text in the file:

[alice@radijs ~]$ gpg --clear-sign alice.txt
                                       <<== password interaction
[alice@radijs ~]$
[alice@radijs ~]$ ls -l
-rw-rw-r--. 1 alice alice  610 30 nov 17:34 alice.txt.asc
[alice@radijs ~]$
[alice@radijs ~]$ cat alice.txt.asc 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Alice wrote this

Really....Alice wrote this...you have to believe me.


-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEm0CxvHGtLSEtMWzu2mUWGFe3PdcFAl/FHw0ACgkQ2mUWGFe3
PdendQf9Fv2EQ16PO26Q0EMU+MlzBFr5G+xDc9A4AAWd7X646GlTonhNzWq1YV/T
YR5t3kx12DMKvRxXgnuVMJKo+T2bojl/cqmOyCwacnao9/+L9urs2hwD/ZYuiJX8
+8+Zi3IEjWN/McXsdNsiJfy6+pn09+7TbwHZ0mhmOBKFF74maFQcy/YNDeblbVxM
PJFc3DPTmzrd9BzPyjfOAY4K7ekWYGjOZ65cZnBfn1r/SeOjWUXb7HYGn87YBj+/
yhmR7ASXnjmus+Ynfo+UFK928wwCgm7fxd5tfhpym+QNvDZcJsG1tZ0VjL/+KTNE
5R7XcdToznORRq/dZe+FKX8yD/9CBw==
=NW2a
-----END PGP SIGNATURE-----
[alice@radijs ~]$

You now can see the content of the file, as well as the signature information.

Push it to Bob, and see whether he can verify that message.

[bob@radijs ~]$ cat alice.txt.asc 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Alice wrote this

Really....Alice wrote this...you have to believe me.


-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEm0CxvHGtLSEtMWzu2mUWGFe3PdcFAl/FHw0ACgkQ2mUWGFe3
PdendQf9Fv2EQ16PO26Q0EMU+MlzBFr5G+xDc9A4AAWd7X646GlTonhNzWq1YV/T
YR5t3kx12DMKvRxXgnuVMJKo+T2bojl/cqmOyCwacnao9/+L9urs2hwD/ZYuiJX8
+8+Zi3IEjWN/McXsdNsiJfy6+pn09+7TbwHZ0mhmOBKFF74maFQcy/YNDeblbVxM
PJFc3DPTmzrd9BzPyjfOAY4K7ekWYGjOZ65cZnBfn1r/SeOjWUXb7HYGn87YBj+/
yhmR7ASXnjmus+Ynfo+UFK928wwCgm7fxd5tfhpym+QNvDZcJsG1tZ0VjL/+KTNE
5R7XcdToznORRq/dZe+FKX8yD/9CBw==
=NW2a
-----END PGP SIGNATURE-----
[bob@radijs ~]$ 
[bob@radijs ~]$ gpg --verify alice.txt.asc 
gpg: Signature made ma 30 nov 2020 17:34:21 CET
gpg:                using RSA key 9B40B1BC71AD2D212D316CEEDA65161857B73DD7
gpg: Good signature from "Alice " [ultimate]
gpg: WARNING: not a detached signature; file 'alice.txt' was NOT verified!
[bob@radijs ~]$

Yes he can. But...take notice of the warning message: The signature is OK in itself. The file itself that was signed is not present, gpg can not determine whether the file is tampered with.

What we can do...a detached signature:

[alice@radijs ~]$ gpg --detach-sign alice.txt
                                       <<== password interaction
[alice@radijs ~]$ 
[alice@radijs ~]$ ls -l alice.txt.sig 
-rw-rw-r--. 1 alice alice 310 30 nov 17:48 alice.txt.sig

And try to verify the file:

[bob@radijs ~]$ gpg --verify alice.txt.sig 
gpg: no signed data
gpg: can't hash datafile: Geen gegevens
[bob@radijs ~]$

Ow...Okay...Then try verifying the message itself:

[bob@radijs ~]$ gpg --verify alice.txt
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
[bob@radijs ~]$ 

Yes...there is no signature file available...let's have both the message and the signature file:

[bob@radijs ~]$ gpg --verify alice.txt.sig 
gpg: assuming signed data in 'alice.txt'
gpg: Signature made ma 30 nov 2020 17:48:03 CET
gpg:                using RSA key 9B40B1BC71AD2D212D316CEEDA65161857B73DD7
gpg: Good signature from "Alice " [ultimate]
[bob@radijs ~]$

Yup...success...that's all there is to it.

Leave a Reply

Your email address will not be published. Required fields are marked *