All about GPG Signing

Oct. 28, 2020

This is the (Part 1) of All about GPG series. In this part, we will learn how to sign stuff with GNU Privacy Guard. After reading this guide, you will be able to digitally sign files and distribute your code with your assurance.

Case 1: Signing

Firstly, we will generate ourselves an ultimate signing key. Before this, you might want to refer to earlier part here.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
Your selection? 10

Select Option 10 from the menu by entering its number, it will show us another screen to select options

Please select which elliptic curve you want:
   (1) Curve 25519
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
Your selection? 1

For this scenario, unless you are an absolute expert which most of us don’t, I recommend you to visit http://safecurves.cr.yp.to/ that will help you in explaining which elliptic curve is cryptographically more secure or not. By the time of writing this entry, Curve 25519 is more trustworthy than others, so we will select Option 1.

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y

Now generally, since the algorithm we selected is secure in long term, we shall set this to 2y to sign things for 2 years. However, if you are planning on selecting for more years, you can also do it by renewing the expired key.

Key expires at Fri Oct 23 02:41:02 2022 GMT
Is this correct? (y/N)

Now you will be greeted by a confirmation screen with the expiration date and its time, for your reference. Confirm it by entering y.

GnuPG needs to construct a user ID to identify your key.

Real name: Xenon Lucifer Diablo
Email address: code@nmnx.org
Comment: Signing key for open source projects and R&D purposes only.

This time you will be asked for your information (Name, Email and Comment) to generate the key with your corresponding email address. A comment corresponds to its purpose, so write why do you want to use this key.

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? 

For the final time, it will ask you for any changes (in case of typos). Choose (O)kay for proceeding further.

            ┌──────────────────────────────────────────────────────┐            
            │ Please enter the passphrase to                       │            
            │ protect your new key                                 │            
            │                                                      │            
            │ Passphrase: ________________________________________ │            
            │                                                      │            
            │       <OK>                              <Cancel>     │            
            └──────────────────────────────────────────────────────┘            

Your choosen pinentry interface will now ask for your new password. Enter the password to safeguard your keys and then press tab to <OK> and press return.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

This message screen will appear where you have to press tons of buttons on your keyboard randomly and shake your mouse like hell! Not doing so will lead you to this message.

generator a better chance to gain enough entropy.
Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 281 more bytes)

This means that your system hasn’t achieved the required threshold of entropy. An impromptu explaination is provided in this entry.

If all went well, then you will be greeted by the following text.

gpg: key 033A0E83209937B3 marked as ultimately trusted
gpg: revocation certificate stored as 'xxx/xxx/xxx/xxx.rev'
public and secret key created and signed.

pub   ed25519 2020-10-23 [SC] [expires: 2022-10-23]
      ABCDEF0123456789ABCDEF0123456789ABCDEF01
uid                      Xenon Lucifer Diablo (Signing key for open source projects and R&D purposes only.) <code@nmnx.org>

Congratulations! You have successfully generated your signing key. To verify and see your key,

gpg --list-secret-keys --keyid-format LONG --fingerprint

Now export your key using the command

gpg --export --armor 033A0E83209937B3

Here, you can see my public key ready to export

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEX7qsvBYJKwYBBAHaRw8BAQdAVtScTWmCqpQUPFgwI+Ajtaxh1fGXAlTX+uq8
iU0UZI60Ylhlbm9uIEx1Y2lmZXIgRGlhYmxvIChTaWduaW5nIGtleSBmb3Igb3Bl
biBzb3VyY2UgcHJvamVjdHMgYW5kIFImRCBwdXJwb3NlcyBvbmx5LikgPGNvZGVA
bm1ueC5vcmc+iJYEExYIAD4WIQSBXvtaJomyOdMJyiEDOg6DIJk3swUCX7qsvAIb
AwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRADOg6DIJk3s41NAPoD
WhPkhqeuUwZjHhc/5YZeV3EmiSKP9yges/+iWUqeSgD9FaSyLGahqbJa8Cdtp+fY
jKu3b7TD2PKi33jLrEBKug8=
=HcnM
-----END PGP PUBLIC KEY BLOCK-----

You can verify the key by checking onto my commits of my projects at github.

Signing things

This part is ded simple, we will sign the files and documents using this simple command:

gpg --sign --default-key code@nmnx.org thelegend27.pdf

where code@nmnx.org is your email address mentioned earlier in generated signing key (if you have multiple keys in your system) whereas thelegend27.pdf is the file name (👀 don’t tell anyone). Again this screen will appear before you, just enter your password:

            ┌──────────────────────────────────────────────────────┐            
            │ Please enter the passphrase to                       │            
            │ protect your new key                                 │            
            │                                                      │            
            │ Passphrase: ________________________________________ │            
            │                                                      │            
            │       <OK>                              <Cancel>     │            
            └──────────────────────────────────────────────────────┘            

This will create a signed document ending with extension *.gpg in your working directory which can be verified and decrypted back to original document.

Verifying things

Again, simple as shit. Just use:

gpg --verify thelegend27.pdf.gpg

and this will do the job! However there are few caveats, that I would like to mention before. Always check the signing comment before decryption. That will allow you to verify the authenticity of the issued document.

Retrieving the original

Once verified carefully, decrypt the document you have received using the command:

gpg --output topsecret.pdf --decrypt thelegend27.pdf.gpg

And you shall receive! The document you yearned for soo long. Ahh the joy! 😌

Since this entry’s size is large, I have decided to introduce several parts to this series.

That’s all for today! Thank you for reading this crap. Let’s see you again next time.