{"id":280,"date":"2020-11-30T18:27:16","date_gmt":"2020-11-30T18:27:16","guid":{"rendered":"https:\/\/maboc.nl\/?p=280"},"modified":"2020-11-30T18:27:16","modified_gmt":"2020-11-30T18:27:16","slug":"gpg-signing-verifying","status":"publish","type":"post","link":"https:\/\/maboc.nl\/?p=280","title":{"rendered":"GPG : Signing \/ verifying"},"content":{"rendered":"

GPG Index<\/a><\/p>\n

As seen in a former article gpg can be used to encrypt and decrypt a message or file. Important to realise…you don’t need a password\/passprase to encrypt. As soon as you posess the public key of the user you want to encrypt for, you can do just that.<\/p>\n

That leaves us with the problem of deciding whether a message\/file is really from the one it claims it from.<\/p>\n

If f.i. blake hacked Alice’ system and starts mailing (or sending files) in her name, just encrypting is not the answer. Luckily gpg also provides signing (and verifying) messages. If I write a message and sign it, that’s done with my provate key, which is password protected. So if I want to send a file and want to sign it, I need to know the password. And since we do not have our passwords on post-it notes on our monitor, I’m the only one who can possibly know this password, hence….the message must be send by me.<\/p>\n

On the receiving part, if I have the corresponding public key, I can verify whether a message is signed with that private key. Let’s see that in action.<\/p>\n

The scenario: Alcie has a message she sends to Bob which she wants to sign:<\/p>\n

\r\n[alice@radijs ~]$ cat alice.txt\r\nAlice wrote this\r\n\r\nReally....Alice wrote this...you have to believe me.\r\n\r\n[alice@radijs ~]$\r\n<\/pre>\n
Anyone can do this…If Bob needs to be sure that Alice actually did write this message, Alice has to sign it, with her private key.<\/p>\n
Let’s do just that :<\/p>\n
\r\n[alice@radijs ~]$ gpg --sign alice.txt \r\n                                       <<== password interaction\r\n[alice@radijs ~]$ ls -altr alice.txt*\r\n-rw-rw-r--. 1 alice alice  73 28 nov 11:04 alice.txt\r\n-rw-rw-r--. 1 alice alice 398 30 nov 17:19 alice.txt.gpg\r\n[alice@radijs ~]$ \r\n<\/pre>\n
There it is: a signed file. Let's send that file over to Bob and verify it:<\/p>\n
\r\n[bob@radijs ~]$ gpg --verify alice.txt.gpg \r\ngpg: Signature made ma 30 nov 2020 17:19:39 CET\r\ngpg:                using RSA key 9B40B1BC71AD2D212D316CEEDA65161857B73DD7\r\ngpg: Good signature from \"Alice \" [ultimate]\r\n[bob@radijs ~]$ \r\n<\/pre>\n
That' looks promising. Thing is....what was actually signed?<\/p>\n
\r\n[bob@radijs ~]$ gpg --decrypt alice.txt.gpg \r\nAlice wrote this\r\n\r\nReally....Alice wrote this...you have to believe me.\r\n\r\n\r\ngpg: Signature made ma 30 nov 2020 17:19:39 CET\r\ngpg:                using RSA key 9B40B1BC71AD2D212D316CEEDA65161857B73DD7\r\ngpg: Good signature from \"Alice \" [ultimate]\r\n[bob@radijs ~]$\r\n<\/pre>\n
OKay...verify only verifies the signature, decrypt also shows the (embedded) message\/file.<\/p>\n
Another option is --clear-sign. This command will embed the document in clear text in the file:<\/p>\n
\r\n[alice@radijs ~]$ gpg --clear-sign alice.txt\r\n                                       <<== password interaction\r\n[alice@radijs ~]$\r\n[alice@radijs ~]$ ls -l\r\n-rw-rw-r--. 1 alice alice  610 30 nov 17:34 alice.txt.asc\r\n[alice@radijs ~]$\r\n[alice@radijs ~]$ cat alice.txt.asc \r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA256\r\n\r\nAlice wrote this\r\n\r\nReally....Alice wrote this...you have to believe me.\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niQEzBAEBCAAdFiEEm0CxvHGtLSEtMWzu2mUWGFe3PdcFAl\/FHw0ACgkQ2mUWGFe3\r\nPdendQf9Fv2EQ16PO26Q0EMU+MlzBFr5G+xDc9A4AAWd7X646GlTonhNzWq1YV\/T\r\nYR5t3kx12DMKvRxXgnuVMJKo+T2bojl\/cqmOyCwacnao9\/+L9urs2hwD\/ZYuiJX8\r\n+8+Zi3IEjWN\/McXsdNsiJfy6+pn09+7TbwHZ0mhmOBKFF74maFQcy\/YNDeblbVxM\r\nPJFc3DPTmzrd9BzPyjfOAY4K7ekWYGjOZ65cZnBfn1r\/SeOjWUXb7HYGn87YBj+\/\r\nyhmR7ASXnjmus+Ynfo+UFK928wwCgm7fxd5tfhpym+QNvDZcJsG1tZ0VjL\/+KTNE\r\n5R7XcdToznORRq\/dZe+FKX8yD\/9CBw==\r\n=NW2a\r\n-----END PGP SIGNATURE-----\r\n[alice@radijs ~]$\r\n<\/pre>\n
You now can see the content of the file, as well as the signature information.<\/p>\n
Push it to Bob, and see whether he can verify that message.<\/p>\n
\r\n[bob@radijs ~]$ cat alice.txt.asc \r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA256\r\n\r\nAlice wrote this\r\n\r\nReally....Alice wrote this...you have to believe me.\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niQEzBAEBCAAdFiEEm0CxvHGtLSEtMWzu2mUWGFe3PdcFAl\/FHw0ACgkQ2mUWGFe3\r\nPdendQf9Fv2EQ16PO26Q0EMU+MlzBFr5G+xDc9A4AAWd7X646GlTonhNzWq1YV\/T\r\nYR5t3kx12DMKvRxXgnuVMJKo+T2bojl\/cqmOyCwacnao9\/+L9urs2hwD\/ZYuiJX8\r\n+8+Zi3IEjWN\/McXsdNsiJfy6+pn09+7TbwHZ0mhmOBKFF74maFQcy\/YNDeblbVxM\r\nPJFc3DPTmzrd9BzPyjfOAY4K7ekWYGjOZ65cZnBfn1r\/SeOjWUXb7HYGn87YBj+\/\r\nyhmR7ASXnjmus+Ynfo+UFK928wwCgm7fxd5tfhpym+QNvDZcJsG1tZ0VjL\/+KTNE\r\n5R7XcdToznORRq\/dZe+FKX8yD\/9CBw==\r\n=NW2a\r\n-----END PGP SIGNATURE-----\r\n[bob@radijs ~]$ \r\n[bob@radijs ~]$ gpg --verify alice.txt.asc \r\ngpg: Signature made ma 30 nov 2020 17:34:21 CET\r\ngpg:                using RSA key 9B40B1BC71AD2D212D316CEEDA65161857B73DD7\r\ngpg: Good signature from \"Alice \" [ultimate]\r\ngpg: WARNING: not a detached signature; file 'alice.txt' was NOT verified!\r\n[bob@radijs ~]$\r\n<\/pre>\n
Yes he can. But...take notice of the warning message: The signature is OK in itself. The file itself that was signed is not present, gpg can not determine whether the file is tampered with.<\/p>\n
What we can do...a detached signature:<\/p>\n
\r\n[alice@radijs ~]$ gpg --detach-sign alice.txt\r\n                                       <<== password interaction\r\n[alice@radijs ~]$ \r\n[alice@radijs ~]$ ls -l alice.txt.sig \r\n-rw-rw-r--. 1 alice alice 310 30 nov 17:48 alice.txt.sig\r\n<\/pre>\n
And try to verify the file:<\/p>\n
\r\n[bob@radijs ~]$ gpg --verify alice.txt.sig \r\ngpg: no signed data\r\ngpg: can't hash datafile: Geen gegevens\r\n[bob@radijs ~]$\r\n<\/pre>\n
Ow...Okay...Then try verifying the message itself:<\/p>\n
\r\n[bob@radijs ~]$ gpg --verify alice.txt\r\ngpg: no valid OpenPGP data found.\r\ngpg: the signature could not be verified.\r\nPlease remember that the signature file (.sig or .asc)\r\nshould be the first file given on the command line.\r\n[bob@radijs ~]$ \r\n<\/pre>\n
Yes...there is no signature file available...let's have both the message and the signature file:<\/p>\n
\r\n[bob@radijs ~]$ gpg --verify alice.txt.sig \r\ngpg: assuming signed data in 'alice.txt'\r\ngpg: Signature made ma 30 nov 2020 17:48:03 CET\r\ngpg:                using RSA key 9B40B1BC71AD2D212D316CEEDA65161857B73DD7\r\ngpg: Good signature from \"Alice \" [ultimate]\r\n[bob@radijs ~]$\r\n<\/pre>\n
Yup...success...that's all there is to it.<\/p>\n","protected":false},"excerpt":{"rendered":"
GPG Index As seen in a former article gpg can be used to encrypt and decrypt a message or file. Important to realise…you don’t need a password\/passprase to encrypt. As soon as you posess the public key of the user you want to encrypt for, you can do just that. That leaves us with the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36],"tags":[37,47,48],"class_list":["post-280","post","type-post","status-publish","format-standard","hentry","category-privacy","tag-gpg","tag-sign","tag-verify"],"_links":{"self":[{"href":"https:\/\/maboc.nl\/index.php?rest_route=\/wp\/v2\/posts\/280","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/maboc.nl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/maboc.nl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/maboc.nl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/maboc.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=280"}],"version-history":[{"count":5,"href":"https:\/\/maboc.nl\/index.php?rest_route=\/wp\/v2\/posts\/280\/revisions"}],"predecessor-version":[{"id":285,"href":"https:\/\/maboc.nl\/index.php?rest_route=\/wp\/v2\/posts\/280\/revisions\/285"}],"wp:attachment":[{"href":"https:\/\/maboc.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=280"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/maboc.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=280"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/maboc.nl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=280"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}