How to gpg sign a file without encryption
Environment
- Red Hat Enterprise Linux
- gnupg or gnupg2
Issue
- How can we sign a file using desired private key without encryption? Should we use a "--sign" or "--clearsign"?
- Every time we use
gpg --sign
it seems to make encrypted binary files. How to prevent encryption and do only signing?
Resolution
-
GnuPG offers 3 options for signing input data
-
--detach-sign
(synonym:-b
)
Create binary or ASCII-armored detached signature from input -
--clearsign
Wrap input in plaintext signature -
--sign
(synonym:-s
)
Encode input into binary or ASCII-armored output with an integrated signature
Only
--sign
can be used in concert with encryption
Input is provided the same way for all 3 options: via stdin or filename passed as an argument -
-
--detach-sign
This option is the most useful for simply ensuring the integrity (but not privacy) of a large file-
Signing
[user]$ cat inputdata.txt My message is here. [user]$ gpg --detach-sign -o sig.gpg inputdata.txt
-
Verification
gpg --verify
checks the signature[user]$ gpg --verify inputdata.txt sig.gpg gpg: no valid OpenPGP data found. gpg: the signature could not be verified. Please remember that the signature file (.sig or .asc) should be the first file given on the command line. [user]$ gpg --verify sig.gpg inputdata.txt gpg: Signature made Thu 23 Jul 2015 09:15:16 PM EDT using RSA key ID 43D67E41 gpg: Good signature from "Moo Cow
"
-
-
--clearsign
This option is meant to be used with ASCII (text) input data-
Signing
[user]$ cat inputdata.txt My message is here. [user]$ gpg --clearsign -o output.txt inputdata.txt
-
Verification
gpg --verify
checks the signature
Despite the lack of encryption,gpg --decrypt
checks the signature and outputs original data with signature stripped[user]$ cat output.txt -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My message is here. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iJwEAQECAAYFAlWxhrEACgkQ7UsYmEPWfkECmwP/alQ025erUVowZqe3PB8YE37H mKiFTyVLWDyTSYHo7IJBCHww0xDVt8VvZ1CdoDzDWYFlWuxLSa6G1G8Flbmhq5kD UNmkazt7p4m+CK7+fkHzYjcmbtf5KAMnJP2ieQLwwrMuRN/GsUUmgdLszor67WP5 o4JEdXKnrErFBUeMaNs= =e17S -----END PGP SIGNATURE----- [user]$ gpg --verify output.txt gpg: Signature made Thu 23 Jul 2015 08:28:33 PM EDT using RSA key ID 43D67E41 gpg: Good signature from "Moo Cow
" [user]$ gpg --decrypt output.txt My message is here. gpg: Signature made Thu 23 Jul 2015 08:28:33 PM EDT using RSA key ID 43D67E41 gpg: Good signature from "Moo Cow " [user]$ gpg -d -o original.txt output.txt gpg: Signature made Thu 23 Jul 2015 08:28:33 PM EDT using RSA key ID 43D67E41 gpg: Good signature from "Moo Cow " [user]$ cat original.txt My message is here.
-
-
--sign
This option is most-commonly used in concert with encryption (i.e.,--encrypt
or--symmetric
); however, it can be used on its own (this is rare)-
Signing
[user]$ cat inputdata.txt My message is here. [user]$ gpg --encrypt --recipient Badger -r Cow --sign -o output.gpg inputdata.txt
-
Verification
If input is not encrypted,gpg --verify
checks the signature
Whether input is encrypted or not,gpg --decrypt
checks the signature and outputs original data with signature stripped[user]$ gpg --verify output.gpg gpg: verify signatures failed: Unexpected error [user]$ gpg --decrypt -o output.txt output.gpg You need a passphrase to unlock the secret key for user: "Moo Cow
" 1024-bit RSA key, ID DA77CB4C, created 2015-07-22 (main key ID 43D67E41) gpg: encrypted with 1024-bit RSA key, ID 3F54674E, created 2015-07-24 "Honey Badger " gpg: encrypted with 1024-bit RSA key, ID DA77CB4C, created 2015-07-22 "Moo Cow " gpg: Signature made Thu 23 Jul 2015 09:07:18 PM EDT using RSA key ID 43D67E41 gpg: Good signature from "Moo Cow " [user]$ cat output.txt My message is here.
-
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments