Jan 14, 2019 · 3 min read

How to Sign and Verify a Document or File using PGP/GPG

This article is an continuation of “Cryptography for Absolute Beginners” I recommend reading it first

Note that you will need to have GnuPG (GPG) installed before starting the tutorial.

Image for post
Image for post

First, a bit of background as to how this works:

A digital signature certifies and timestamps a document.

If the document is subsequently modified in any way, a verification of the signature will fail. A digital signature can serve the same purpose as a hand-written signature with the additional benefit of being tamper-resistant.

Creating and verifying signatures uses the public/private keypair in an operation different from encryption and decryption. A signature is created using the private key of the signer. The signature is verified using the corresponding public key.

Alright, now that we know what it is all about we can take a look at how you can sign your document. I’ll show you an example after I show you what to do first.

To sign a document with PGP, run this in the command-line:

gpg --output document.sig --sign document.pdf

Where “document.pdf” is the path to the document you want to sign and compress. It doesn’t need to be a .pdf; in fact, it can be any type of file you want. After you have entered your password for your private key, GPG will output the “document.sig” file into C:\Users\YourPCName (on Windows).

To verify a document that has been signed with PGP, run this in the command line:

gpg --output document.pdf --decrypt document.sig

This will output the decrypted “document.pdf” into C:\Users\YourPCName if you have the person who signed the document’s public key. In the command line you will see something like this:

gpg: Signature made 03/12/16 12:02:38 Coordinated Universal Time using DSA key ID ABD907D3 gpg: Good signature from “Person < person@domain.tld >”

Now, on to an example:

Bob wants to send Kate a sensitive document, and he wants to make sure that it isn’t tampered with along the way. The document is called “classifiedinfo.docx” and it is located at D:\Users\Bob. He types this into the command line:

gpg --output classifiedinfo.sig --sign D:\Users\Bob\classifiedinfo.docx

Note that you can choose any name you like for the .sig file.

Now he types in his private key’s password, retrieves the signed file from D:\Users\Bob and sends it to Kate. He also tells her that it is a .docx file. Kate has already imported Bob’s public key into GPG.

Kate verifies and decompresses Bob’s file by running this in the command line:

gpg --output classifiedinfo.docx --decrypt C:\Users\Kate\Downloads\classifiedinfo.siggpg --output classifiedinfo.docx --decrypt C:\Users\Kate\Downloads\classifiedinto.sig

She gets this message in the command line:

gpg: Signature made 02/12/2016 15:39:05 Central African Time using DSA key ID A657BC83 gpg: Good signature from “Bob < >”

Good. The document is untampered and genuine. She opens it.

In my next tutorial we’ll learn to clearsign a document.

Check out my other tutorial,if you haven’t already:

Cryptography for Absolute Beginners

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store