How to Sign and Verify a Document or File using PGP/GPG
This article is an continuation of “Cryptography for Absolute Beginners” I recommend reading it first
Note that you will need to have GnuPG (GPG) installed before starting the tutorial.
First, a bit of background as to how this works:
A digital signature certifies and timestamps a document.
If the document is subsequently modified in any way, a verification of the signature will fail. A digital signature can serve the same purpose as a hand-written signature with the additional benefit of being tamper-resistant.
Creating and verifying signatures uses the public/private keypair in an operation different from encryption and decryption. A signature is created using the private key of the signer. The signature is verified using the corresponding public key.
Alright, now that we know what it is all about we can take a look at how you can sign your document. I’ll show you an example after I show you what to do first.
To sign a document with PGP, run this in the command-line:
gpg --output document.sig --sign document.pdf
Where “document.pdf” is the path to the document you want to sign and compress. It doesn’t need to be a .pdf; in fact, it can be any type of file you want. After you have entered your password for your private key, GPG will output the “document.sig” file into C:\Users\YourPCName (on Windows).
To verify a document that has been signed with PGP, run this in the command line:
gpg --output document.pdf --decrypt document.sig
This will output the decrypted “document.pdf” into C:\Users\YourPCName if you have the person who signed the document’s public key. In the command line you will see something like this:
gpg: Signature made 03/12/16 12:02:38 Coordinated Universal Time using DSA key ID ABD907D3 gpg: Good signature from “Person < email@example.com >”
Now, on to an example:
Bob wants to send Kate a sensitive document, and he wants to make sure that it isn’t tampered with along the way. The document is called “classifiedinfo.docx” and it is located at D:\Users\Bob. He types this into the command line:
gpg --output classifiedinfo.sig --sign D:\Users\Bob\classifiedinfo.docx
Note that you can choose any name you like for the .sig file.
Now he types in his private key’s password, retrieves the signed file from D:\Users\Bob and sends it to Kate. He also tells her that it is a .docx file. Kate has already imported Bob’s public key into GPG.
Kate verifies and decompresses Bob’s file by running this in the command line:
gpg --output classifiedinfo.docx --decrypt C:\Users\Kate\Downloads\classifiedinfo.siggpg --output classifiedinfo.docx --decrypt C:\Users\Kate\Downloads\classifiedinto.sig
She gets this message in the command line:
gpg: Signature made 02/12/2016 15:39:05 Central African Time using DSA key ID A657BC83 gpg: Good signature from “Bob < firstname.lastname@example.org >”
Good. The document is untampered and genuine. She opens it.
In my next tutorial we’ll learn to clearsign a document.
Check out my other tutorial,if you haven’t already: