About PGP Signing a File.
Jeffrey F. Bloss
jbloss at tampabay.rr.com
Sun Feb 11 11:12:30 UTC 2007
Joel Bryan Juliano wrote:
<snippage>
> Thanks for all of your awesome reply! This is a very valuable
Glad you found it informative. :)
> information I learned about PGP Signing and the benefits of it, which
> is really really interesting! I have a PGP key that I registered a
> year ago and It's really handy for creating debian packages for
> experimental (or as I call my kind of fun) purposes.
>
> Again, PGP is very very valuable, it's really amazing we have
> something like this!
>
> One more thing, do we need to have a key (i.e. ~/.gnupg/*) in order to
> verify the signed file or binary?
Of course. GnuPG by default works as a "two key" system where one key is
only for locking the lock, and the other only for UNlocking. The two
keys can theoretically be interchanged (not in practice), but they can
not be substituted one for the other within a single cryptographically
oriented operation like the sign/verify. If a function is performed with
one component, be it the public or private key component, the
complimentary operaion must be performed with the corresponding
complimentary key. You sign with your private key, and people verify
with your public key. You encrypt using a public key, and the recipient
decrypts using their private key.
Note: GnuPG and PGP both have the ability to perform symmetric
cryptographic functions or "conventional" encryption that doesn't use
key pairs (usually just pass phrases). But it's "standard" usage is as
a Public Key Infrastructure tool.
As for specifically needing a ~/.gnupg/XXXX keyring file to verify a
signed binary, the answer is no. If you're talking about how
apt/Synaptic verify updates and such, they store their keys somewhere
else and use only certain functions from the gpgme library I believe,
so you don't actually need gpg itself installed either (not sure about
that). But they most certainly do have to have the proper GnuPG public
keys stashed away somewhere or they complain to high heaven. ;-)
--
_?_ Outside of a dog, a book is a man's best friend.
(o o) Inside of a dog, it's too dark to read.
-oOO-(_)--OOo------------------------------[ Groucho Marx ]---
http://wrench.homelinux.net/~jeff/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070211/49769c3d/attachment.sig>
More information about the ubuntu-users
mailing list