About PGP Signing a File.
Jeffrey F. Bloss
jbloss at tampabay.rr.com
Sun Feb 11 08:30:49 UTC 2007
Joel Bryan Juliano wrote:
> Hi,
>
> I have a question regarding signing a file or binary, I installed
> Seahorse which is really awesome tool! And it has a nautilus-extension
> that easily Encrypt and Sign a file or directory by right-clicking the
> file. Can someone please tell me the use of signing a binary file or
> directory? I know it's important, but I really don't get it.
The purpose of a digital signature is primarily to guarantee the
integrity of the signed file. To assure the person who checks the
signature against the file that the original hasn't been tampered with
in any way. So any place you need to guarantee file integrity you can
use a gpg signature.
In a public setting the benefits are obvious. All your Ubuntu software
installs and system updates should be using digital signatures to
verify their integrity, for example.
In a private setting the usefulness isn't quite so obvious, but if you
have a copy of your will or any other legal documents on your machine
for example, it's a good idea to sign them. There's also time stamping
services available which will stamp your signature with one of
their own and make that "sub-signature" public, irrefutably proving a
time line. Precautions that might prevent some shady cousin on your
wife's side from cutting out your kids and writing himself in for
your billions. ;)
I've also used digital signatures to monitor changes in critical system
files and logs. Not so much in modern times because there's simpler,
easier ways to do what I use to do with signatures, but it is one
potential application.
In fact, if you run something like a modern version of rkhunter I
believe you have the option of using some of the very same hashing
schemes gpg uses in its digital signatures to verify the integrity of
the files it keeps track of. Most of your /sbin directory for
example. And there use to be a very excellent piece of antivirus
software floating around called "Integrity Master" which used
(proprietary?) cryptographic signatures to verify executables on DOS
boxes. So the usefulness of "local" signatures isn't as broad and
visible as the more common signed message or software update
application, but it still exists for a lot of people.
--
_?_ Outside of a dog, a book is a man's best friend.
(o o) Inside of a dog, it's too dark to read.
-oOO-(_)--OOo------------------------------[ Groucho Marx ]---
http://wrench.homelinux.net/~jeff/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070211/2d1fa1fe/attachment.sig>
More information about the ubuntu-users
mailing list