Digital signatures are made to verify the authenticity and integrity of a document. One can digitally sign a document using GPG to ensure that the document has indeed come from the intended sender and is unmodified after it is signed by the sender.
In GPG, a user first needs to generate a key pair consisting of a public key and a private key. The user can sign a document using his private key and send it to someone. After receiving the document, the recipient can verify the signature with the sender’s public key. If the signature does not match, that would mean the document has been modified after signing it. (What is a digital signature, and how does it work?)
Usually, when we want to sign a document using GPG, we have a couple of options.
- We can sign and encrypt the file and store the signed file in the same file
- We can encrypt and sign the file and mention not to compress it while signing
- We can sign and encrypt the file but store it in a separate output file to keep the input file intact
Please see the corresponding commands for each option below.
How to make digital signatures using GPG?
To sign a document using your private key, use the following command:
# gpg --armor --ouput file.txt.sign.asc --sign file.txt
This will sign the document file.txt and create the ASCII-armored output file file.txt.sign.asc.
How to verify a document digitally signed using GPG?
After receiving the document, the recipient can verify the signature of the sender. To verify the signature, the recipient should run the following command:
# gpg --verify file.txt.sign.asc
If the signature is valid, it will output that it is a good signature.
How to extract the original file from the signed document?
Normally, when we sign a file using GPG, we sign and encrypt it together. To retrieve the original …
0 Comments