21.03.2024

Creating a digital signature with GPG

With the emergence of information systems, organisational, HR, accounting or any activity involving the transmission of documents has gone digital. It has become more convenient to store, transmit, modify and process large data streams. However, information has become susceptible to attacks on its basic properties of integrity, availability and confidentiality. And a solution was needed, which, like a seal or a signature, can ensure the safety of these properties!

This solution was the technology of electronic digital signature, or EDS. It is a system that performs cryptographic transformations with a trusted party, which allows to confirm the authenticity and integrity of the transmitted message!

What is a GPG signature?

GPG signature is an analogue of a normal human signature on documents. It is not a picture or a graphical signature, but a string sequence that has been generated by a unidirectional hashing function and encryption process by a cryptographic algorithm.

The input to a cryptosystem, or a programme that allows cryptographic transformations, is information that needs to be signed. The file or string sequence to be signed passes through a unidirectional mathematical function or hash function that converts the data into a meaningless sequence. But unique for the given text or file. That is, if you change a single character, the function will have a different meaning. Asymmetric encryption algorithm is responsible for confidentiality.

Installing and configuring GPG

Let's take an example of the process of creating a signature for a file or message so that the recipient can be sure of the integrity, authenticity and, in some configurations, confidentiality of the transmitted data. First, let's update the packages on the machine so that all dependencies are up to date and there are no problems in the connection.

apt update && apt upgrade -y

By default, distributions already include the gnupg package solution, which allows you to perform cryptographic conversions. However, if your device does not have it, specify a package manager and command:

apt install gnupg -y

Screenshot №1 — Installation

Before we start a test machine, which we can do on Serverspace cloud platform which will help in easy deployment, also you can skip this step if you have a cloud server. To create the node we need to find the cloud platform from the left menu which you can choose depending on your requirement. We choose vStack or VMware platform and click on Create Server button.

Screenshot №2 — Create machine

It will take some time to deploy server capacity. After that you can connect in any of the convenient ways. Let's return to our terminal with the utility already installed, to familiarise ourselves with the syntax we will write the commands:

gpg -h

Screenshot №3— Help command

As we can see, the list of options is quite extensive. Therefore, let's focus on the main options and functions of the command, which may be needed in the course of performing basic actions.

How do I create GPG keys?

In order to sign a message, a key pair must be generated using an asymmetric encryption algorithm:

gpg --full-generate-key --expert

Use gpg with --full-generate-key and --expert options for more detailed key and user configuration. By selecting the RSA encryption algorithm, key length 2048 and setting the user ID, we will make sure that the keys have been created. By default, it is stored in a keyring or keyring database, which is encrypted with the user key. Accordingly, the authenticity of the message and files depends on the length of the user's key and password, during transmission and storage. Therefore, it is necessary to set a complex password, preferably from 14 characters.

Let's look at the key pairs created, for public -k, for private -K:

gpg -k

Screenshot №4 — Show keys

In order for the recipient to verify the signature it is necessary to export and then import the public keys to the recipient:

gpg -a -u Koldek --export > keys.asc

Screenshot №5 — Export keys

To view the key, enter the command:

cat keys.asc

Now there are two options for data distribution, because of the threat of public key spoofing, in the initial transmission we need to work through intermediaries or trust the source key. Consider the Web-of-Trust model, which involves trusting sources based on user ratings. We place our key on our own or WoT site, and distribute it on users' request.

Be sure to check the hash values after receiving the key and downloading it - they must match!

In the scheme with the certification centre, we need to register our public key and get a certificate, which will contain a new EDS from the certification centre. If the user trusts the CA, the signature is decrypted and verified accordingly.

Once you have the key, you need to import it with the command:

gpg --import key.asc

Screenshot №6 — Import keys

After importing we see the key number and name, which we can also verify for authentication:

If we try to verify a test message, we will get a warning about the unknown origin of the key. To verify that the keys are trusted, a database or trusted gpg is used to store a list of keys and their trust level.

Screenshot №7 — Untrusted keys

Let's write the trust level manually by changing the key parameters with the command:

gpg --edit-key Koldek

And then select the item you want to edit - trust:

Screenshot №8 — Modification of trust level

To fully trust the key, you should select item 5, but before that, check the hash values and the key data! And confirm your choice:

Screenshot №9 — Trust for keys

At the bottom we see a note that the key trust will change after restarting the utility, which we will do.

How can I create and verify a GPG signature?

Let's go back to the previous machine where we generated the keys and sign the first message!

There are three options on how you can sign a message:

The first way is a file in which the message itself and the signature are separated, no special means are required to read the file. Only to confirm the signature. Let's write the command:

gpg -a -u Kolded --clear-sign target.txt

Screenshot №10 — Clear sign

After signing, transfer the file in any convenient way and verify the message in the file already on the recipient's side:

gpg --verify target.txt.asc

Screenshot №11 — Verification of clear sign

As you can see now warnings and errors do not appear and the date of message signing is set. However, without a time server, it is possible to spoof these values, as they are stored in the metadata of the file and are not verified like the message itself.

The next method, a separate file with the signature, which can be convenient for software packages when it is not necessary to modify them with a signature. All you need to do is download a separate file for verification:

gpg -a -u Koldek -b target.txt > target.txt.asc

For the sake of clarity, let's immediately verify its authenticity with a command:

gpg --verify target.txt.asc

Screenshot №12 — Detached sign

Note that now we need to transfer the message itself and its signature to the machine, preferably in the same folder.

But how to ensure confidentiality, integrity and authenticity of the transmitted signature at the same time? It is enough to encrypt it after creating it! This will ensure the confidentiality of our message, file or document. To do this, let's write the command:

gpg -a -u Koldek -r Raider -se target.txt
Note that the -u parameter is responsible for whose key to sign, and -r is responsible for whose public key to encrypt the message

A file will be generated in which the message and signature will already be integrated, now you need to verify and decrypt it with the command:

gpg -d target.txt.asc

Screenshot №13 — Encrypt and sign

In the creation of digital signatures using GPG, we see a powerful tool for ensuring security and trust in information exchange. This process guarantees the integrity of data and confirms authorship, opening up new possibilities for secure messaging and file sharing in the digital world.