File and email encryption with GnuPG (PGP) part six

    Date28 Apr 2004
    3458
    Posted ByAnthony Pell
    Last time I showed you how to exchange and verify public PGP keys with an individual. After you've verified a user's key (KeyID, bits, type, fingerprint, and user's actual identity) you should sign their key. Signing a key tells the PGP software (GnuPG in most cases for us Linux heads) that you've acknowledged the key is legitimate when verifying the signature. Let's take a look at the different verification possibilities. . . .

    Last time I showed you how to exchange and verify public PGP keys with an individual. After you've verified a user's key (KeyID, bits, type, fingerprint, and user's actual identity) you should sign their key.

    Signing a key tells the PGP software (GnuPG in most cases for us Linux heads) that you've acknowledged the key is legitimate when verifying the signature. Let's take a look at the different verification possibilities.

    Here's the mutt[1] header of a PGP signed email, where we've never downloaded the key at all:

    gpg: Signature made Wed Apr 14 18:59:36 2004 PDT using DSA key ID D5D3BDA6
    gpg: Can't check signature: public key not found

    Compare to the next one, where we do have a copy of their public key, but have never signed the key:

    gpg: Signature made Wed Apr 14 18:59:36 2004 PDT using DSA key ID D5D3BDA6
    gpg: Good signature from "John Doe (My First PGP Key) This email address is being protected from spambots. You need JavaScript enabled to view it."
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner.
    Primary key fingerprint: B53F E57B D0C1 F689 FCE2 5623 5B9A A5F8 801E A932

    Or this one, where the public key is on our keyring, and the key is signed by us:

    gpg: Signature made Wed Apr 14 18:59:36 2004 PDT using DSA key ID D5D3BDA6
    gpg: Good signature from "John Doe (My First PGP Key) This email address is being protected from spambots. You need JavaScript enabled to view it."

    And, to round things out, one where the key is on our keyring, signed and all, but the signature is invalid (the message was corrupted in transit, most likely)

    gpg: Signature made Wed Apr 14 18:59:36 2004 PDT using DSA key ID D5D3BDA6
    gpg: BAD signature from "Jon Doe (My First PGP Key) This email address is being protected from spambots. You need JavaScript enabled to view it."

    You are not authorised to post comments.

    LinuxSecurity Poll

    Do you reuse passwords across multiple accounts?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    13
    radio
    [{"id":"55","title":"Yes","votes":"5","type":"x","order":"1","pct":45.45,"resources":[]},{"id":"56","title":"No","votes":"6","type":"x","order":"2","pct":54.55,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.