Sign and Verify Files with GPG

Now in order to verify the authenticity/integrity of the files, we use the Signature-Feature of GnuPG. Now do you remember in one of my earliest articles [I am talking about the GPG verification guide for TOR] we dealt with verifying the authenticity of an application-file ? Yeah now we'll learn how to do that but with any file.

Now there are multiple ways to create "File-Signatures":-

One is Sign
The second is ClearSign
Finally there is Detached-Signatures

Now these achieve the same thing but in different ways.

We will learn about "SIGN" first ↴

This command basically compresses & THEN signs the message/file with your SECRET/PRIVATE-KEY.

gpg --sign -u EMAIL_ID FILE_NAME
		OR 
gpg -s -u EMAIL_ID FILE_NAME

REMINDER:-
This DOES NOT ACTUALLY ENCRYPT the file/message [Usually "--sign" is used in combination with encryption], but the contents/messages are rendered unreadable & in order to make it readable, you will have to process the file with GPG [Which is by "--decrypt" or "-d"], except that the file/message has the additional capacity of being VERIFIED/AUTHENTICATED seperately as well.

Also the default output will have a ".gpg" file-extension, whereas if you use the --armor or -a option then the output will have a ".asc" file-extension.

Next we will learn about "CLEARSIGN" next ↴

This command basically does the same as above but with a major difference; this command basically signs the file, but PRESERVES the actual contents/message. So here the message is still readable & hence does not need to be "decrypted".

echo "YOUR_MESSAGE" | gpg --clearsign -u EMAIL_ID > MESSAGE_FILE 
		OR 
gpg --clearsign -u EMAIL_ID FILE_NAME

Oh & this command uses the "--armor" option by default, hence the resulting file will have a file-extension of ".asc". One of the common usecases of this command is verifying the authenticity of messages like say...email or even a webpage, where you NEED the readability of the messages. So you need to just VERIFY the authenticity of the messages/files ONLY & nothing else.

FINALLY, will learn about "DETACH-SIGN" option ↴

The"--detach-sign" or "-b" option creates a seperated SIGNATURE-FILE with the extension ".sig" [This is the default "BINARY-FORM" extension], now the actual file itself is neither encrypted nor altered in any way, but you WILL need both the file AND the "signature-file" to verify the actual file's authenticity.

gpg --detach-sign -u EMAIL_ID FILE_NAME
		OR 
gpg -b -u EMAIL_ID FILE_NAME

Remember when I was talking about an EXCEPTIONAL-CASE when discusiing about the "ARMOR-Option" ????
The EXCEPTION here is eventhough you CAN use the "--armor" option to get a ".asc" file for readability, you really DO NOT NEED TO. But hey it is all upto you my friend.

Now that you have signed the files/messages, you will need to verify the signatures of the file/message with the actual file/message & to do that just type the command [Or the varieties of the command] given below:

gpg --verify FILE_NAME 
		OR 
gpg --verify SIGNATURE_FILE FILE_NAME

Here GPG/GnuPG automatically checks the signatures via the PUBLIC-KEYS that you have imported in your system [AKA the GPG-KeyRing]. Please note that the second --verify command is used in situations where you have to deal with DETACHED-SIGNATURES [which may in the format of a .sig or a .asc** file].

NICE TO KNOW:

I will inform you that the most common forms of SIGNING that you will encounter/experience is either the "CLEAR-SIGN" or the "DETACHED-SIGN" ("SIGN" is very rarely used or encountered, if used at all).

So I recommend using "--clearsign" & "--detach-sign" the most.

Anyways you can use all of the signing-commands with the "ARMOR-Option" ↴

SIGN:
gpg -s -a -u EMAIL_ID FILE_NAME

CLEARSIGN:
gpg --clearsign -a -u EMAIL_ID FILE_NAME

DETACHED-SIGN:
gpg -b -a -u EMAIL_ID FILE_NAME