GPG Concept and Usages

Jephe Wu - http://linuxtechres.blogspot.com

Objective: understanding how gpg works and command usages
Environment: RHEL or CentOS, GnuPG


Concepts:
1. keypair generation
When you generate a pair of gpg keys by using command 'gpg --gen-key', basically you generated two pair of keys, one is used for DSA signature, another is for encryption/decryption(Elgamal). Private key contains the private part for both DSA and Elgamal keys, Public key contains the public part for both DSA and Elgamal keys.

You can use private key or public key to sign or encrypt file, then send to the peer. Or you can encrypt and sign at the same time.

when to use sign only?
If you need to publish a software to the public, in this case, the software itself is not confidential, you don't have to encrypt it. You can sign the software itself, in this case, you attach you signature at the end of the software. Or just put software itself on the website, then upload your signed result(.sig for binary file and .asc for ascii file) on the website for users to verify the signature of your software. Of course, user needs to get your master sign key(a part of public key) first. In order to let user to make sure that public key/sign key beglongs to you, you can put on your website for user to download. Or in personal email communcation case, just email public key to the peer.

If you need to communicate with your friends with some secret messages, like password, bank statements etc, you might need to use both encrypt/sign functions.

2. when you received a public key, what to do?
Firstly, you need to import to your public key ring, then you need to make sure it's from the real person you'd like to communicate with. If you received it through email or downloaded from that person's website, you will be pretty sure it's from that person, if not, you can check the fingerprint of that public key then call the person to confirm:

gpg --import jephe.gpg

gpg --fingerprint # get the fingerprint of the master public sign key
gpg --sign-key "emailaddress or name"

or run commands below to sign the key to validate it.
gpg --edit-key "emailadddress or name"
fpr
sign

3. how gpg sign files (what does it mean for 'good signature' after decrypting encrypted/signed file)
The following paragraph is from http://www.glump.net/howto/gpg_intro.
When GPG creates a digital signature, it doesn't encrypt the entire file with the signer's private key. Instead, it computes a hash value,6) encrypts that, and appends it to the original data as the signature. This makes it possible to create signed files that are readable without any encryption software, and aren't significantly larger; GPG is needed only to verify the authenticity of the file.

To verify a signature, GPG reads the data that was signed and computes its hash value. Then it decrypts the signature, using the signer's public key, to obtain the true hash value. If the two hash values match, the signature is valid and the data you have is exactly the data the signer had when he created the signature.

3.1 how to sign a file?
a. gpg -s # sign a file and append signature information to the file. No matter the file is ascii or binary file

b. For ascii files, you can also use --clearsign feature, for example.
 # gpg -r jephe@domain.com --clearsign hosts  # in this case, the original text and signature are in the same file.
# cat hosts.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1        localhost.localdomain localhost
10.0.0.1        jephe.domain.com    jephe

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFNeH45bkqqCc9zAksRAtwvAKCzxPtS8VajyPVL69+5L1KhOcHsPACgoAUf
bD+LeQhMSMkLqt41+mwHTOM0
=Wnmj
-----END PGP SIGNATURE-----

You can verify the signature by using 'gpg --verify hosts.asc'.

c. sign a binary file with detached signature (doc and zip files are not allowed for appending to it)
gpg -r jephe@domain.com -o file.zip.sig --detach-sign file.zip

Note: you need to use only .sig or .asc as detached file name. And, when you use gpg --verify to verify signature, you need to have original file and signature file at the same current directory, otherwise, gpg will report 'bad signature' because gpg needs the original data file to calculate hash value. Pls refer to point 3.

4. other usages
a. use symmetric key to encrypt/decrypt file
gpg -c files

b. decrypting files automatically
echo PASSPHRASE| gpg --passphrase-fd 0 OPTIONS COMMAND
or
cat filecontainspassphrase | gpg --passphrase-fd 0 OPTIONS COMMAND

c. Encrypting for Multiple Recipients
You can specify more than one people who need to decrypt your file, gpg will use public keys from all these people to encrypt file in such a way that any one of their private key can decrypt the file.
gpg -e -r user1 -r user2