About PGP Signing a File.

Sun Feb 11 09:59:07 UTC 2007

On 2/11/07, Jeffrey F. Bloss <jbloss at tampabay.rr.com> wrote:
> Joel Bryan Juliano wrote:
>
> > Hi,
> >
> >  I have a question regarding signing a file or binary, I installed
> > Seahorse which is really awesome tool! And it has a nautilus-extension
> > that easily Encrypt and Sign a file or directory by right-clicking the
> > file. Can someone please tell me the use of signing a binary file or
> > directory? I know it's important, but I really don't get it.
>
> The purpose of a digital signature is primarily to guarantee the
> integrity of the signed file. To assure the person who checks the
> signature against the file that the original hasn't been tampered with
> in any way. So any place you need to guarantee file integrity you can
> use a gpg signature.
>
> In a public setting the benefits are obvious. All your Ubuntu software
> installs and system updates should be using digital signatures to
> verify their integrity, for example.
>
> In a private setting the usefulness isn't quite so obvious, but if you
> have a copy of your will or any other legal documents on your machine
> for example, it's a good idea to sign them. There's also time stamping
> services available which will stamp your signature with one of
> their own and make that "sub-signature" public, irrefutably proving a
> time line. Precautions that might prevent some shady cousin on your
> wife's side from cutting out your kids and writing himself in for
> your billions. ;)
>
> I've also used digital signatures to monitor changes in critical system
> files and logs. Not so much in modern times because there's simpler,
> easier ways to do what I use to do with signatures, but it is one
> potential application.
>
> In fact, if you run something like a modern version of rkhunter I
> believe you have the option of using some of the very same hashing
> schemes gpg uses in its digital signatures to verify the integrity of
> the files it keeps track of. Most of your /sbin directory for
> example. And there use to be a very excellent piece of antivirus
> software floating around called "Integrity Master" which used
> (proprietary?) cryptographic signatures to verify executables on DOS
> boxes. So the usefulness of "local" signatures isn't as broad and
> visible as the more common signed message or software update
> application, but it still exists for a lot of people.
>

Thanks for all of your awesome reply! This is a very valuable
information I learned about PGP Signing and the benefits of it, which
is really really interesting! I have a PGP key that I registered a
year ago and It's really handy for creating debian packages for
experimental (or as I call my kind of fun) purposes.

Again, PGP is very very valuable, it's really amazing we have
something like this!

One more thing, do we need to have a key (i.e. ~/.gnupg/*) in order to
verify the signed file or binary?

> --
>      _?_      Outside of a dog, a book is a man's best friend.
>     (o o)         Inside of a dog, it's too dark to read.
> -oOO-(_)--OOo------------------------------[ Groucho Marx ]---
>                     http://wrench.homelinux.net/~jeff/
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>
>
>

-- 
Carpe Diem