Sign/Validate files with gpg
Introduction
A digital signature certifies and timestamps a document, making it tamper-resistant. If the document is subsequently modified in any way, verification of the signature will fail. This provides the same level of assurance as a hand-written signature, with the added benefit of being tamper-resistant. Here we will use GnuPG to sign and verify files.
Usage Example
Creating a GPG keypair
gpg --full-generate-key
Editing a GPG key
gpg --edit-key your_email@address.com
Export the public key to share with others
gpg --export --armor --output my-gpg.pub
Import other users’ public keys
gpg --import name_of_pub_key_file
cat sample.txt
Sample text for gpg signing
Make a signature
gpg -s sample.txt
file sample*
sample.txt: ASCII text
sample.txt.gpg: data
Decrypt
gpg --decrypt sample.txt.gpg
Make a detached signature
gpg -b sample.txt
file sample*
sample.txt: ASCII text
sample.txt.gpg: data
sample.txt.sig: data
or add --armor
option to make a ASCII signature
gpg --armor -b sample.txt
file sample*
sample.txt: ASCII text
sample.txt.asc: PGP signature Signature (old)
sample.txt.gpg: data
sample.txt.sig: data
or add --clearsign
option to make a clear signature
gpg --clear-sign sample.txt
cat sample.txt.asc
Verify a signature
gpg --verify sample.txt.sig sample.txt
List keys
gpg --list-keys
gpg --refresh-keys
Search keys
gpg --keyserver pgp.mit.edu --search-keys your_email@address.com
Check the fingerprint
gpg --fingerprint your_email@address.com
Conclusion
Signatures are an essential tool to ensure the authenticity and integrity of digital messages and files. GnuPG is a powerful and open-source tool that provides cryptographic privacy and authentication for data communication. By following the steps outlined in this post, you can create and verify signatures using GnuPG to secure your digital communications.
References
https://www.gnupg.org/gph/en/manual/x135.html
https://www.redhat.com/sysadmin/digital-signatures-gnupg
https://pgp.mit.edu/