Signing your files and verifying.

How do you make sure a file is sent from the correct person, and is not corrupted on its way to you? A digital signature needed, as I have talked in the first blog It can prove the sender and the message.

Showing everyone your keys – send it to a keyserver

use `gpg --keyserver a-key-server-here --send-keys KEY-ID-HERE` to send to keyserver.

subsitute a-key-server-here with one of the following, just copy the text, not the link:

1. keys.openpgp.org https://keys.openpgp.org/

2. pgp.mit.edu http://pgp.mit.edu/

3. keyserver.ubuntu.com https://keyserver.ubuntu.com/

Substitute KEY_ID_HERE with your key id

Troubleshoot: It you met any problem in sending the key, you can try their interface, just click on the links and follow the site’s directions.

Then use `gpg --keysever keysever-you-just-wrote --recv-keys KEY_ID_HERE` To check status

If it shows something like “successfully found key …” you are done!

Signing files -detached signature

Use `gpg --detach-sign FILE_NAME_HERE` for a detached sign of the file, the .sig file is the detached signature file, send the original file AND the .sig file to the reciever.

If you want human-readable signature, try `gpg --detach-sign -a FILE_NAME_HERE` The .asc file is a human-readable acsii encoded file. Same, send the .asc file AND the original file to

Signing files -entached signature

Use `gpg --sign FILE_HERE` the .gpg file contains the message AND the signature.

Verifying a detached signature

Use `gpg --import File_Name_Contains_Public-Key` to import public key

Use `gpg --verify "signature-file-here" "original-file-here"`

If produces “Good signature from xxxxx, then message is not corrupted”

Or else “bad signature from xxxx”, then the message is CORRUPTED!

Verifying an entached signature

Use `gpg --import File_Name_Contains_Public-Key` to import public key

For example, I recieved a code.txt.gpg, first create a file without the .gpg, in this example, code.txt.

Use `gpg --output "without-gpg-filename" ".gpg-signed-file"`

If it is a “good signature from xxx” the message is not corrupted

Else, the message IS CORRUPTED

If it is a good signature, open the file with name without .gpg, in this case, code.txt, then you can see the original message!

You are done!

Next class we are going to learn encrypting and decrypting files! Get ready!

Comment here

back

Signing your files and verifying.

How do you make sure a file is sent from the correct person, and is not corrupted on its way to you? A digital signature needed, as I have talked in the first blog It can prove the sender and the message.

Showing everyone your keys – send it to a keyserver

use gpg --keyserver a-key-server-here --send-keys KEY-ID-HERE to send to keyserver.

subsitute a-key-server-here with one of the following, just copy the text, not the link:

1. keys.openpgp.org https://keys.openpgp.org/

2. pgp.mit.edu http://pgp.mit.edu/

3. keyserver.ubuntu.com https://keyserver.ubuntu.com/

Substitute KEY_ID_HERE with your key id

Troubleshoot: It you met any problem in sending the key, you can try their interface, just click on the links and follow the site’s directions.

Then use gpg --keysever keysever-you-just-wrote --recv-keys KEY_ID_HERE To check status

If it shows something like “successfully found key …” you are done!

Signing files -detached signature

Use gpg --detach-sign FILE_NAME_HERE for a detached sign of the file, the .sig file is the detached signature file, send the original file AND the .sig file to the reciever.

If you want human-readable signature, try gpg --detach-sign -a FILE_NAME_HERE The .asc file is a human-readable acsii encoded file. Same, send the .asc file AND the original file to

Signing files -entached signature

Use gpg --sign FILE_HERE the .gpg file contains the message AND the signature.

Verifying a detached signature

Use gpg --import File_Name_Contains_Public-Key to import public key

Use gpg --verify "signature-file-here" "original-file-here"

If produces “Good signature from xxxxx, then message is not corrupted”

Or else “bad signature from xxxx”, then the message is CORRUPTED!

Verifying an entached signature

Use gpg --import File_Name_Contains_Public-Key to import public key

For example, I recieved a code.txt.gpg, first create a file without the .gpg, in this example, code.txt.

Use gpg --output "without-gpg-filename" ".gpg-signed-file"

If it is a “good signature from xxx” the message is not corrupted

Else, the message IS CORRUPTED

If it is a good signature, open the file with name without .gpg, in this case, code.txt, then you can see the original message!

You are done!

Next class we are going to learn encrypting and decrypting files! Get ready!

Comment here

use `gpg --keyserver a-key-server-here --send-keys KEY-ID-HERE` to send to keyserver.

Then use `gpg --keysever keysever-you-just-wrote --recv-keys KEY_ID_HERE` To check status

Use `gpg --detach-sign FILE_NAME_HERE` for a detached sign of the file, the .sig file is the detached signature file, send the original file AND the .sig file to the reciever.

If you want human-readable signature, try `gpg --detach-sign -a FILE_NAME_HERE` The .asc file is a human-readable acsii encoded file. Same, send the .asc file AND the original file to

Use `gpg --sign FILE_HERE` the .gpg file contains the message AND the signature.

Use `gpg --import File_Name_Contains_Public-Key` to import public key

Use `gpg --verify "signature-file-here" "original-file-here"`

Use `gpg --import File_Name_Contains_Public-Key` to import public key

Use `gpg --output "without-gpg-filename" ".gpg-signed-file"`