Second Serie | Part 8 : Sign files
First article of this new serie.
You can see the articles of the first serie here and the following here :
- Part 9 : Encrypt files
- Part 10 : GPG Conf’
- Part 11 : Some details about keys and maths
- Part 12 : Export and import public and private keys
- Part 13 : Various security aspects
- Part 14 : Publish a signing policy
- Part 15 : Using gpg in command line
- Part 16 : Going to a gpg signing party
I am going to explain how to sign and check files. It is turning a bit technical.
The motivation for signing files is the same as for mail:
- You are sure that this file has not been corrupted or altered.
- You know the author of the file or where it comes from.
For example, software developers often sign their binaries or the zip archives containing their code. Debian uses gpg to insure packages integrity.
And I am going to give you a number of files signed with the tutoriel’s key.
Sign a file
In order to sign a file, gpg is actually going to realize some sort of a process, all task performed by the software itself of course:
A hash (which is a characteristic fingerprint of a data, resulting from a hash function) of the file is generated. This hash will be used to proof file integrity.
The hash is then encrypted using the private key. Meaning that you are the actual signer, as you are the only one able to use your private key. Then, a compressed archive of the whole is created.
Actually, people generally prefer to create separeted signatures files: the encrypted hash of the file constituting the signature is enclosed in a distinct text file. This allow the signed file to be directly usable and still to be checked.
And I just explained mail
This process is the one used while sending a mail encrypted in PGP/Mime (also called OpenPGP/Mime or GPG/Mime): your mail is hashed, encrypted using your private key and enclosed to the mail.
This explain this strange enclosure in your mail that many of your contacts try to open. And the need for a text signature to explain. The cycle is closed.
With PGP/inline, the hash is simply copied in the text of the mail, and it’s quite ugly.
GPG Suite (Mac OS)
On Mac OS, to sign a file, you just need to select it in Finder, with right click, then select Services > OpenPGP: Sign File.
Kleopatra (Windows and Linux distributions)
Signing a file with Kleopatra is really easy:
File > Sign/Encrypt files, select the file you want and click on Sign.
You can also sign through Konqueror or Dolphin (or explorer on Windows, using the GPGex extension !) : right clik on the file, then select sign a file with OpenPGP.
Think also about using Text output (ASCII armor). This warrant signature strength and create an .asc file.
You can use OpenPGP or S/Mime. Select Sign with OpenPGP, then click on your key if not already automatically selected.
Finally clik on Sign in the bottom. A few seconds later, the software should tell you about the success.
You can also create archive with OpenPGP. Kleopatra itself declares it as bizarre. You should instead use a regular archive software (zip, tar, ark…) then sign the archive.
Check a file’s signature
To check a signature:
The archive is opened, then the encrypted hash is decrypted with the public key. The authenticity of the file has just been proofed : the signer is the owner of the key.
A hash of the signed file is then performed and comparde to the one that was encrypted. So the integrity of the file has just been proofed as well. It is trully the same file that the author has signed.
GPG Suite (Mac OS)
Checking a file signature on Mac OS is almost the same as signing it: right-click in Finder, then select Services > OpenPGP: Validate.
Kleopatra (Windows and Linux distributions)
File > Decrypt/Verify files. The software will ask you if it is an archive or a detached signature.
If it is an detached signature, then it will ask you which data to validate. Usually the signature file and the signed file have the same name, only differing with the extension. It might propose the correct way. But maybe not.
If the file is not a detached signature, nor an archive, then you have to indicate where to place the extracted files.
You can then ask for the validation of signature.
More things to sign !
One can sign… Git commits ! Unbelievable how many things you can do with gpg !
Guess what … ?
Cipher’in’ Letters
I just have compiled the first serie of articles in a little book called Cipher’in’ Letters. I hope this title will make you think about all the matter.
You can download the pdf, which has been signed with the tutorial key as well as my personal key.
The LaTex sources are also available in the github repo that I created on purpose. This version is tagged «vb1», for «version base 1» and signed with my personal key.