0

Suppose I want to publish (or send to someone) a file. I also want the recipients of it to be able to verify that any further updates to it come from the same source/author as the original.

The obvious solution is to ship the original file with a public key and a GPG signature of the file. Any subsequent updates will be signed too.

However, the verifiers would have to import the public key into their local keyring.

Isn't there a more flexible, less obtrusive approach? Maybe not GPG but something else?

For example, something like this would be ideal:

toolname --verify --pub path/to/public.key --sig path/to/signature path/to/file-to-verify

Looks like GPG can do it but only in 3 peculiar steps:

gpg --no-default-keyring --keyring ./temp-keyring.gpg --import pub.key gpg --no-default-keyring --keyring ./temp-keyring.gpg --verify signature.gpg path/to/file rm ./temp-keyring.gpg

Related questions: one, two.

Improve this question

1 Answer 1

Reset to default
3

Isn't there a more flexible, less obtrusive approach? Maybe not GPG but something else?

BSD signify. You still have to exchange the public key at some point, but there's no keyring etc.

toolname --verify --pub path/to/public.key --sig path/to/signature path/to/file-to-verify

would be

signify -V -p path/to/public.key -x path/to/signature path/to/file-to-verify

signify is quite easy to use. The complete relevant usage can be explained in four examples, I think; I'll just cite Ted Unangst's and Marc Espie's man page here:

Create a new key pair:

signify -G -p newkey.pub -s newkey.sec

The newkey.pub public key is very short. It looks like this:

RWQihFKGTsDkMj9lWO3W+lIBNgooJtWDgcIT9uD3rd6GGz7ta38UPQMd

and could easily be included e.g. in a QR code with your ink signature across it, if you need non-digital distribution.

Sign a file, specifying a signature name:

signify -S -s key.sec -m message.txt -x msg.sig

If you don't specify -x, then it would have been message.txt.sig.

Verify a signature, using the default signature name:

signify -V -p key.pub -m generalsorders.txt

If you use sha256sum --tag file1 file2… > SHA256, then signify -S -s path/to/private.key -m SHA256 -e, and send SHA256.sig:

Verify a release directory containing SHA256.sig and a full set of release files:

signify -C -p /etc/signify/openbsd-76-base.pub -x SHA256.sig

Gzip archives are special, because you can embed the signature in the archive itself without affecting the compressed data.

Sign a gzip archive:

signify -Sz -s key-arc.sec -m in.tgz -x out.tgz

Verify a gzip pipeline:

ftp url | signify -Vz -t arc | tar ztf -
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.