Digital signatures can be used to establish the authenticity and integrity of a (binary) file. These signatures can also be used for non-repudiation purposes, but that's usually not the intention when you're distributing or receiving files. (Note: non-repudiation means impossible to reject; to make sure beyond a doubt that the signer's key has been used to create that signature).
The easiest and most secure way of creating and verifying digital signatures is by using PGP. The following commands assume that you have downloaded and configured GPG, the free and complete implementation of the OpenPGP standard.
Create a digital signature of FILENAME
gpg --armor --detach-sig --output FILENAME.sig FILENAME
--armor | make sure that the file is ASCII armored (Radix-64 encoded) |
--detach-sig | create a separate signature file |
--output | the name of the signature file |
Paranoid options
--no-version | don't show which software version has been used to create the signature |
--comment | don't show which software has been used to create the signature |
Verify a digital signature
gpg --verify FILENAME.sig
This command assumes that the original file is FILENAME and resides in the same location as the signature file FILENAME.sig. To verify a signature you also need the signer's public key. If you don't have that key you can add it to your local keyring.
Add a public key to your keyring
gpg --recv-keys KEYID
You also can use
--keyserver KEYSERVER
to specify a keyserver.
Comments
comments powered by Disqus