Sign with GPG Key
One of the greatest feature from GnuPG is the ability to sign an object or a payload (e.g. message) with your GPG identity. It's like the handwritten signature you sign on your letter back in time. Only this time, it can't be easily photoshopped for falsification, blackmailing, and identity theft.
This section guides you on how to sign a payload with your GPG Key.
Identify Sign Capability
We start off by identifying your primary key ID and there is a secret subkey for signing. This is by using the following command and find your key:
gpg --list-secret-keys --keyid-format LONGExample:
$ gpg --list-secret-keys --keyid-format LONG...---------------------------sec rsa4096/F5EF57A0FB4EF0EF 2020-01-10 [C] AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFuid [ultimate] "Shotgun" John, Smith <john.smith@company.com>uid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>ssb rsa4096/66F2E45747AB2C90 2020-01-10 [S] [expires: 2022-01-09]ssb rsa4096/9D485C5208D0859F 2020-01-10 [E] [expires: 2022-01-09]ssb rsa4096/90939A7DBBFC226D 2020-01-10 [A] [expires: 2022-01-09]ssb ed25519/16972F736B59F874 2020-01-10 [S] [expires: 2022-01-09]ssb ed25519/D22D6E1FD575E506 2020-01-10 [A] [expires: 2022-01-09]ssb cv25519/25252612A403B41C 2020-01-10 [E] [expires: 2022-01-09]In the example above,
- The primary key ID is:
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF. Make sure this is the primary key you wanted to use. - the sign-capable ("
[S]" label) sub-keys are:66F2E45747AB2C90, and16972F736B59F874.
Sign Payload With Subkey
There are various ways to sign the payload with the primary key. It depends on the type of output you're looking for. Also, if no subkey is supplied, GPG will use the latest sign subkey to perform the signing process. All sign processes create an output payload instead of overwriting with the original payload.
Simple Sign
This appends the output signature in binary format embedded into the output payload,
$ gpg --sign <path/to/object> # using latest/default subkey$ gpg --local-user <sub-key ID> --sign <path/to/object> # if you need specific subkeyIt will generate a new payload file with the extension: .gpg. This is the simplest and suitable for all files. A sign example is as follows:
# check current directory$ lsobject.txt# check payload file$ cat object.txt This is my message# sign with --sign$ gpg --sign object.txt# check current directory again. This time we have an gpg output payload file$ lsobject.txt object.txt.gpg# read the output payload file$ cat object.txt.gpg � ������x�ge�ra� � ?�$���� �����5n�B22� �(�R!7��81=���ј����AVL�����ɓڟ�U�3�� ����S&ru ���WǞ���t�Q`Jt�� ?Y�|'�+jZ����Fm��w�|���.�~1�����ٓ]}�y�! {?��v�Wju���L���~4��r�ic����7�� v�q:{� ��m��Ds�w<J/�n�m��8�t<l�ƴ�]חl�_��@� �����/LN�(z4M!�~a�f�\}��=�^ |`���� � +K�Mo�n0Sg~�����b!�� v�w�4X��֬��Y s��{'��<���T_�G��cy��sSKt4�^���y�'��K���B]Clear Sign
This appends the output signature in text format embedded into the output payload, the command would be:
$ gpg --clear-sign <path/to/object> # using latest/default subkey$ gpg --local-user <sub-key ID> --clear-sign <path/to/object> # if you need specific subkeyIt will generate a new payload file with the extension: .asc. This is suitable for document signing much like replacing the handwritten signature. A clear sign example is as follows:
# check current directory$ lsobject.txt# check payload file$ cat object.txt This is my message# sign with --clear-sign$ gpg --clear-sign object.txt# check current directory again. This time we have an asc output payload file$ lsobject.txt object.txt.asc# read the output payload file$ cat object.txt.asc -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256This is my message-----BEGIN PGP SIGNATURE-----iQEzBAEBCAAdFiEE3+OElxFjkofk3SCV2UypZSNxXRIFAlusRuoACgkQ2UypZSNxXRL6kQgAjta+zAao3lBdZq/lrSaV0I1FXajgDHqXDgvN0X+nW63H/hi51Mr32qqQcArFTcL4P468SHbo2qOmKYyy3kUb+SeLy3QuKFnTm6oG0siRR1VPdDoU19upl3x8c/JwdPSymCcGLJPmS2g8L9AfC0JUkHnYedaQtFk538W8vGMKFeHTIw+Ex+8tOAM6GbaNXj2zgZHJSYqyJgyyhkgVkfa5PpkXHpIlCoQWiOrG6sBilJ3i8obM5BcNOhtPG3VZqRxv5Moxy3I52+tFAC0vZZh87DhgtTPWBifbVgBdyuojjlCpOTdkLv+3TqdVMbNWOarObTw76e6vjIN5sfbdi72M4g===wwHj-----END PGP SIGNATURE-----Detach Sign
This appends the output signature in text format into a separate file certificate while leaving the payload intact, the command would be:
$ gpg --detach-sign <path/to/object> # using latest/default subkey$ gpg --local-user <sub-key ID> --detach-sign <path/to/object> # if you need specific subkeyIt will generate a new certificate file with the extension: .sig. This is suitable for issuing identity certificate against a given payload, ensuring its integrity from future temperament while leaving the original payload as it is.
# check current directory$ lsobject.txt# check payload file$ cat object.txt This is my message# sign with --detach-sign$ gpg --detach-sign object.txt# check current directory again. This time we have an sig signature file$ lsobject.txt object.txt.sig# read the output payload file$ cat object.txt.sig-----BEGIN PGP SIGNATURE-----iQEzBAABCAAdFiEE3+OElxFjkofk3SCV2UypZSNxXRIFAlusUVoACgkQ2UypZSNxXRKn/AgAtW/djZD0LzNsSQ1ZXDytlqH1+DRjAVHAvV2a3iyyu8vnrun94N+nU37XCtSO8lHANwvclY+Mv6o3H9FvE8hnSiyishLIyAQ3kFNQDLdLGsOyHeem6/cziOB2FRMVfhNLOJyjTtBe/f4y7DLHA1kK5aKIXNSC3Iv/1qyx/RglaHeBzN4TbnWcOooQXCKZ7fvgu+u8XqTJKZ8RnrVf3/92AOycgfcyKTpLYphhssmcppq3aDncdDtDbYFnjFcmDQIeYSXEFTvBZLNv/tW4SpJETtfyCKdZRq8fR1aetuY8ffQ3y766W4pD+m9Fickk3YCjVBSY5+P1eK3I+W0ZC7Y5Xg===Hi2/-----END PGP SIGNATURE-----Verify Signature
All signature are verifiable. Unfortunately, this is outside of this section's scope so look for verify section in the index page.
That's all about signing a payload with GPG.