How to gpg sign a file without encryption

Resolution

• GnuPG offers 3 options for signing input data

  • --detach-sign (synonym: -b)
    Create binary or ASCII-armored detached signature from input

  • --clearsign
    Wrap input in plaintext signature

  • --sign (synonym: -s)
    Encode input into binary or ASCII-armored output with an integrated signature

  Only --sign can be used in concert with encryption
  Input is provided the same way for all 3 options: via stdin or filename passed as an argument

• --detach-sign
  This option is the most useful for simply ensuring the integrity (but not privacy) of a large file

  • Signing

    [user]$ cat inputdata.txt
    My message is here.
    [user]$ gpg --detach-sign -o sig.gpg inputdata.txt
    

  • Verification
    gpg --verify checks the signature

    [user]$ gpg --verify inputdata.txt sig.gpg
    gpg: no valid OpenPGP data found.
    gpg: the signature could not be verified.
    Please remember that the signature file (.sig or .asc)
    should be the first file given on the command line.
    [user]$ gpg --verify sig.gpg inputdata.txt
    gpg: Signature made Thu 23 Jul 2015 09:15:16 PM EDT using RSA key ID 43D67E41
    gpg: Good signature from "Moo Cow "
    

• --clearsign
  This option is meant to be used with ASCII (text) input data

  • Signing

    [user]$ cat inputdata.txt
    My message is here.
    [user]$ gpg --clearsign -o output.txt inputdata.txt
    

  • Verification
    gpg --verify checks the signature
    Despite the lack of encryption, gpg --decrypt checks the signature and outputs original data with signature stripped

    [user]$ cat output.txt
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    My message is here.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.14 (GNU/Linux)
    
    iJwEAQECAAYFAlWxhrEACgkQ7UsYmEPWfkECmwP/alQ025erUVowZqe3PB8YE37H
    mKiFTyVLWDyTSYHo7IJBCHww0xDVt8VvZ1CdoDzDWYFlWuxLSa6G1G8Flbmhq5kD
    UNmkazt7p4m+CK7+fkHzYjcmbtf5KAMnJP2ieQLwwrMuRN/GsUUmgdLszor67WP5
    o4JEdXKnrErFBUeMaNs=
    =e17S
    -----END PGP SIGNATURE-----
    [user]$ gpg --verify output.txt
    gpg: Signature made Thu 23 Jul 2015 08:28:33 PM EDT using RSA key ID 43D67E41
    gpg: Good signature from "Moo Cow "
    [user]$ gpg --decrypt output.txt
    My message is here.
    gpg: Signature made Thu 23 Jul 2015 08:28:33 PM EDT using RSA key ID 43D67E41
    gpg: Good signature from "Moo Cow "
    [user]$ gpg -d -o original.txt output.txt
    gpg: Signature made Thu 23 Jul 2015 08:28:33 PM EDT using RSA key ID 43D67E41
    gpg: Good signature from "Moo Cow "
    [user]$ cat original.txt
    My message is here.
    

• --sign
  This option is most-commonly used in concert with encryption (i.e., --encrypt or --symmetric); however, it can be used on its own (this is rare)

  • Signing

    [user]$ cat inputdata.txt
    My message is here.
    [user]$ gpg --encrypt --recipient Badger -r Cow --sign -o output.gpg inputdata.txt
    

  • Verification
    If input is not encrypted, gpg --verify checks the signature
    Whether input is encrypted or not, gpg --decrypt checks the signature and outputs original data with signature stripped

    [user]$ gpg --verify output.gpg
    gpg: verify signatures failed: Unexpected error
    [user]$ gpg --decrypt -o output.txt output.gpg
    You need a passphrase to unlock the secret key for
    user: "Moo Cow "
    1024-bit RSA key, ID DA77CB4C, created 2015-07-22 (main key ID 43D67E41)
    
    gpg: encrypted with 1024-bit RSA key, ID 3F54674E, created 2015-07-24
        "Honey Badger "
    gpg: encrypted with 1024-bit RSA key, ID DA77CB4C, created 2015-07-22
        "Moo Cow "
    gpg: Signature made Thu 23 Jul 2015 09:07:18 PM EDT using RSA key ID 43D67E41
    gpg: Good signature from "Moo Cow "
    [user]$ cat output.txt
    My message is here.