How to gpg sign a file without encryption

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux
  • gnupg or gnupg2

Issue

  • How can we sign a file using desired private key without encryption? Should we use a "--sign" or "--clearsign"?
  • Every time we use gpg --sign it seems to make encrypted binary files. How to prevent encryption and do only signing?

Resolution

  • GnuPG offers 3 options for signing input data

    • --detach-sign (synonym: -b)
      Create binary or ASCII-armored detached signature from input

    • --clearsign
      Wrap input in plaintext signature

    • --sign (synonym: -s)
      Encode input into binary or ASCII-armored output with an integrated signature

    Only --sign can be used in concert with encryption
    Input is provided the same way for all 3 options: via stdin or filename passed as an argument

  • --detach-sign
    This option is the most useful for simply ensuring the integrity (but not privacy) of a large file

    • Signing

      [user]$ cat inputdata.txt
      My message is here.
      [user]$ gpg --detach-sign -o sig.gpg inputdata.txt
      
    • Verification
      gpg --verify checks the signature

      [user]$ gpg --verify inputdata.txt sig.gpg
      gpg: no valid OpenPGP data found.
      gpg: the signature could not be verified.
      Please remember that the signature file (.sig or .asc)
      should be the first file given on the command line.
      [user]$ gpg --verify sig.gpg inputdata.txt
      gpg: Signature made Thu 23 Jul 2015 09:15:16 PM EDT using RSA key ID 43D67E41
      gpg: Good signature from "Moo Cow "
      
  • --clearsign
    This option is meant to be used with ASCII (text) input data

    • Signing

      [user]$ cat inputdata.txt
      My message is here.
      [user]$ gpg --clearsign -o output.txt inputdata.txt
      
    • Verification
      gpg --verify checks the signature
      Despite the lack of encryption, gpg --decrypt checks the signature and outputs original data with signature stripped

      [user]$ cat output.txt
      -----BEGIN PGP SIGNED MESSAGE-----
      Hash: SHA1
      
      My message is here.
      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v2.0.14 (GNU/Linux)
      
      iJwEAQECAAYFAlWxhrEACgkQ7UsYmEPWfkECmwP/alQ025erUVowZqe3PB8YE37H
      mKiFTyVLWDyTSYHo7IJBCHww0xDVt8VvZ1CdoDzDWYFlWuxLSa6G1G8Flbmhq5kD
      UNmkazt7p4m+CK7+fkHzYjcmbtf5KAMnJP2ieQLwwrMuRN/GsUUmgdLszor67WP5
      o4JEdXKnrErFBUeMaNs=
      =e17S
      -----END PGP SIGNATURE-----
      [user]$ gpg --verify output.txt
      gpg: Signature made Thu 23 Jul 2015 08:28:33 PM EDT using RSA key ID 43D67E41
      gpg: Good signature from "Moo Cow "
      [user]$ gpg --decrypt output.txt
      My message is here.
      gpg: Signature made Thu 23 Jul 2015 08:28:33 PM EDT using RSA key ID 43D67E41
      gpg: Good signature from "Moo Cow "
      [user]$ gpg -d -o original.txt output.txt
      gpg: Signature made Thu 23 Jul 2015 08:28:33 PM EDT using RSA key ID 43D67E41
      gpg: Good signature from "Moo Cow "
      [user]$ cat original.txt
      My message is here.
      
  • --sign
    This option is most-commonly used in concert with encryption (i.e., --encrypt or --symmetric); however, it can be used on its own (this is rare)

    • Signing

      [user]$ cat inputdata.txt
      My message is here.
      [user]$ gpg --encrypt --recipient Badger -r Cow --sign -o output.gpg inputdata.txt
      
    • Verification
      If input is not encrypted, gpg --verify checks the signature
      Whether input is encrypted or not, gpg --decrypt checks the signature and outputs original data with signature stripped

      [user]$ gpg --verify output.gpg
      gpg: verify signatures failed: Unexpected error
      [user]$ gpg --decrypt -o output.txt output.gpg
      You need a passphrase to unlock the secret key for
      user: "Moo Cow "
      1024-bit RSA key, ID DA77CB4C, created 2015-07-22 (main key ID 43D67E41)
      
      gpg: encrypted with 1024-bit RSA key, ID 3F54674E, created 2015-07-24
          "Honey Badger "
      gpg: encrypted with 1024-bit RSA key, ID DA77CB4C, created 2015-07-22
          "Moo Cow "
      gpg: Signature made Thu 23 Jul 2015 09:07:18 PM EDT using RSA key ID 43D67E41
      gpg: Good signature from "Moo Cow "
      [user]$ cat output.txt
      My message is here.
      

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments