About PGP Signing a File.

John Dangler jdangler at atlantic.net
Sun Feb 11 09:39:04 UTC 2007 

On Sun, 2007-02-11 at 09:28 +0000, Tony Arnold wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> John,
> 
> John Dangler wrote:
> > On Sun, 2007-02-11 at 09:15 +0000, Tony Arnold wrote:
> >> Matthew Flaschen wrote:
> >>> Joel Bryan Juliano wrote:
> >>>> Hi,
> >>>>
> >>>>  I have a question regarding signing a file or binary, I installed
> >>>> Seahorse which is really awesome tool! And it has a nautilus-extension
> >>>> that easily Encrypt and Sign a file or directory by right-clicking the
> >>>> file. Can someone please tell me the use of signing a binary file or
> >>>> directory? I know it's important, but I really don't get it.
> >>> There's no use, unless you're planning on sending the file to someone.
> >>> If you do send it to someone, they can check the signature to verify you
> >>> sent it.  Emails and most forms of electronic communication can be
> >>> easily forged, but signatures can't be.
> >> Verifying the signature also confirms that the file has not been
> >> modified since you signed it but some malicious person. So it acts a bit
> >> like an MD5 checksum with the added benefit that you can check who
> >> signed it.
> >>
> >> Regards,
> >> Tony.
> > So, how can I get a valid signature that I can put in my evolution
> > emails?
> 
> You need to use gpg to generate a key pair, a secret key and the
> corresponding public key. gpg keeps these in a 'keyring' for you.
 I can man gpg for this part...
> 
> You can then use evolution to sign outgoing messages. It's a while since
> I used Evo, but I think you can set it to do this automatically.
Yes, there is a place to put signatures in mail (it looks as though the
preferences can be set to email account specific.
> 
> You also need to make your public key available as recipients will need
> this to verify your signature.
Public, as in, on a public web server somewhere?
> 
> An additional feature of PGP is that keys can be signed themselves.
> Typically you get someone who can confirm you are who you say you are to
> sign your key. Broadly speaking the more signatures a key has, the
> greater the chance of it being trustworthy.
Get someone to _sign_ your key?  I'll need to read up on this...
> 
> Regards,
> Tony.
> - --
> Tony Arnold, IT Security Coordinator, University of Manchester,
> IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL.
> T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
> E: tony.arnold at manchester.ac.uk, H: http://www.man.ac.uk/Tony.Arnold
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFFzuHDIsyKE/d21hkRAqwTAJ9mVO+NeX4wd3OAkXVrFH8g26pNyQCgyL65
> oo+AdGwDCy5nfTmHjuTIIqE=
> =eAB4
> -----END PGP SIGNATURE-----
>

More information about the ubuntu-users mailing list