Signing data with a detached signature in GPG.
Signing data is a good way for verifying the integrity of the data. When we create a signature for a file we are attaching are information to it allowing other people to verify that the data has not been tampered with. If the file is tampered with then this signature will be bad.
In this example, we are going to be signing a file with a detached signature, then showing how it ensures data integrity by demonstrating a bad signature error. We will be using GPG and its signature function to be able to achieve this.
For this demonstration we are going to need a file, I am going to create a dummy file for testing purposes. This file will be called example.txt and it will content the date command output.
date > example.txt
Now we have got a file that we want to sign, we create the signature file by running the command:
gpg --detach-sign example.txt
This will create a .gpg file in the same directory, this file can be used to check the verification of the file.
.gpg --verify example.txt.sig
If the data has been modified in any way then the signature will be bad. We can check this by editing the example file and then checking the verification of the signature again.
To edit the file we are just going to append the date to the file with the command:
Date >> example.txt
Now we have modified the file, we can check the integrity of the file and signature which now will return a bad signature error. This error lets us know that the file has been modified sins the last time we signed it. in order to verify the signature we run the command:
Gpg --verify example.txt.sig
That’s all there is to it, you have now signed your own file with a detached signature. This is a very handy method
Signing files ensures the integrity of the data and even know it takes longer than an MD5 hash check of the file, it is more efficient and much more reliable.