All about GPG Signing
This is the (Part 1) of All about GPG series. In this part, we will learn how to sign stuff with GNU Privacy Guard. After reading this guide, you will be able to digitally sign files and distribute your code with your assurance.
Case 1: Signing
Firstly, we will generate ourselves an ultimate signing key. Before this, you might want to refer to earlier part here.
()) () ()) ()) ()) ()) () ()) ()) ()
Select Option 10 from the menu by entering its number, it will show us another screen to select options
() () () () () () () ()
For this scenario, unless you are an absolute expert which most of us don't, I recommend you to visit http://safecurves.cr.yp.to/ that will help you in explaining which elliptic curve is cryptographically more secure or not. By the time of writing this entry, Curve 25519 is more trustworthy than others, so we will select Option 1.
Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 2y
Now generally, since the algorithm we selected is secure in long term, we shall set this to 2y to sign things for 2 years. However, if you are planning on selecting for more years, you can also do it by renewing the expired key.
Key expires at Fri Oct 23 02:41:02 2022 GMT Is this correct? (y/N)
Now you will be greeted by a confirmation screen with the expiration date and its time, for your reference. Confirm it by entering y.
GnuPG needs to construct a user ID to identify your key. Real name: Xenon Lucifer Diablo Email address: email@example.com Comment: Signing key for open source projects and R&D purposes only.
This time you will be asked for your information (Name, Email and Comment) to generate the key with your corresponding email address. A comment corresponds to its purpose, so write why do you want to use this key.
) ) ) ) )
For the final time, it will ask you for any changes (in case of typos). Choose (O)kay for proceeding further.
Your choosen pinentry interface will now ask for your new password. Enter the password to safeguard your keys and then press tab to
<OK> and press return.
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.
This message screen will appear where you have to press tons of buttons on your keyboard randomly and shake your mouse like hell! Not doing so will lead you to this message.
generator a better chance to gain enough entropy. Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 281 more bytes)
This means that your system hasn't achieved the required threshold of entropy. An impromptu explaination is provided in this entry.
If all went well, then you will be greeted by the following text.
gpg: key 033A0E83209937B3 marked as ultimately trusted gpg: revocation certificate stored as 'xxx/xxx/xxx/xxx.rev' public and secret key created and signed. pub ed25519 2020-10-23 [SC] [expires: 2022-10-23] ABCDEF0123456789ABCDEF0123456789ABCDEF01 uid Xenon Lucifer Diablo (Signing key for open source projects and R&D purposes only.) <firstname.lastname@example.org>
Congratulations! You have successfully generated your signing key. To verify and see your key,
Now export your key using the command
Here, you can see my public key ready to export
-----BEGIN PGP PUBLIC KEY BLOCK----- mDMEX7qsvBYJKwYBBAHaRw8BAQdAVtScTWmCqpQUPFgwI+Ajtaxh1fGXAlTX+uq8 iU0UZI60Ylhlbm9uIEx1Y2lmZXIgRGlhYmxvIChTaWduaW5nIGtleSBmb3Igb3Bl biBzb3VyY2UgcHJvamVjdHMgYW5kIFImRCBwdXJwb3NlcyBvbmx5LikgPGNvZGVA bm1ueC5vcmc+iJYEExYIAD4WIQSBXvtaJomyOdMJyiEDOg6DIJk3swUCX7qsvAIb AwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRADOg6DIJk3s41NAPoD WhPkhqeuUwZjHhc/5YZeV3EmiSKP9yges/+iWUqeSgD9FaSyLGahqbJa8Cdtp+fY jKu3b7TD2PKi33jLrEBKug8= =HcnM -----END PGP PUBLIC KEY BLOCK-----
You can verify the key by checking onto my commits of my projects at github.
This part is ded simple, we will sign the files and documents using this simple command:
email@example.com is your email address mentioned earlier in generated signing key (if you have multiple keys in your system) whereas
thelegend27.pdf is the file name (👀 don't tell anyone). Again this screen will appear before you, just enter your password:
This will create a signed document ending with extension *.gpg in your working directory which can be verified and decrypted back to original document.
Again, simple as shit. Just use:
and this will do the job! However there are few caveats, that I would like to mention before. Always check the signing comment before decryption. That will allow you to verify the authenticity of the issued document.
Retrieving the original
Once verified carefully, decrypt the document you have received using the command:
And you shall receive! The document you yearned for soo long. Ahh the joy! 😌
Since this entry's size is large, I have decided to introduce several parts to this series.
That's all for today! Thank you for reading this crap. Let's see you again next time.