Tuesday, July 2, 2013

Create Document with Digital Signature using GPG on Linux

Document  Version 1.0
Copyright © 2012-2013 beijing.beijing.012@gmail.com

My friend Tomy has got an offer from GooPle, greate, isn't it?  GooPle!  On the Phone, the HR manager, Mr. Bozz of GooPle says, he will sign the contract and send it to Tomy right away as post. But at the same time, Mr. Bozz also pointed out, that Tomy should sign the contract and send it back to GooPle in 8 hours.  8 hours? Tomy is even not sure if he could receive the post in 8 hours, since he is living in a small village, the post man comes only once a week...

Of course Tomy do not want to miss this chance, by GooPle. "Sorry sir,  but could you sign it and send me as file, and I will sign it with digital signature, so you would get the signed contract in  20 minutes "
"Yes, of course ..."

In the following section, I will show step by step, how does Mr. Bozz prepare the contract, sign it with his digital signature, and how will Tomy verify the signature, and extract the original content of the contract, otherwise the content is encrypted and not readable.

Step 1. Mr. Bozz prepare the original contract, and save the file as "contract.txt" :

"This is a contract between Mr. Tomy and GooPle ..."

Step 2. Mr. Bozz sign the "contract.txt" file with his digital signature

Mr. Bozz's computer is a Linux (Mint 14) machine, he knows there is a tool under linux called "GPG (GNU Privacy Guard)", which could be used to create digital signature.

He opens a terminal and types following command:

bozz@PC007x /home/bozz $ gpg --sign contract.txt

Console output shows:

gpg: directory `/home/tomy/.gnupg' created
gpg: new configuration file `/home/tomy/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/tomy/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/tomy/.gnupg/secring.gpg' created
gpg: keyring `/home/tomy/.gnupg/pubring.gpg' created
gpg: no default secret key: secret key not available
gpg: signing failed: secret key not available

GPG complains here it can not find the private and public key of Mr. Bozz, but these keys are need for creating digital signature.

Step3. Mr. Bozz creates his  private and public key:

To generate keys, Mr. Bozz types following command in the terminal:

bozz@PC007x /home/bozz $ gpg --gen-key

Terminal output:

gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?

Type 1 in the terminal and return: 

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 

Return to take the default key long.

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)

Type return to take the default expire time, i.e. never expires:

Is this correct? (y/N)

Type y and continue with name and email:

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: bozz
Name must be at least 5 characters long
Real name: Im Bozz
Email address: 

Email address: bozz@goople.com

Comment: blabla

You selected this USER-ID:
    "Im Bozz (blabla) <bozz@goople.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? 

type "O" and return to set 123 as password:

You need a Passphrase to protect your secret key.

gpg: gpg-agent is not available in this session
Enter passphrase: 


gpg: gpg-agent is not available in this session
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 236 more bytes)

Move your mouse, or type something with keybord in another terminal, and you will see the gpg process proceeds:

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 104 more bytes)
gpg: /home/tomy/.gnupg/trustdb.gpg: trustdb created
gpg: key 324B99FD marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/324B99FD 2013-07-03
      Key fingerprint = 5799 923C 4123 523E 0567  794F 2E52 B3F5 324B 99FD
uid                  Im Bozz (blabla) <bozz@goople.com>
sub   2048R/A57E911C 2013-07-03

Now the keys are generated.

Step4. Mr. Bozz try sign the contract again:

bozz@PC007x /home/bozz $ gpg --sign contract.txt

You need a passphrase to unlock the secret key for
user: "Im Bozz (blabla) <bozz@goople.com>"
2048-bit RSA key, ID 324B99FD, created 2013-07-03

gpg: gpg-agent is not available in this session
Enter passphrase: 

Enter "123" as password, return. The signed contract file is created as "contract.txt.gpg" 

 bozz@PC007x /home/bozz $ ls
contract.txt  contract.txt.gpg

Step5. Mr. Bozz send the "contract.txt.gpg" file to Tomy.

Step6. Tomy tries to verify file "contract.txt.gpg"

To verify the file is really from Mr. Bozz from GooPle, Tomy can use GPG utilities.  We assume has GPG installed on his machine, and he has created his public and private key as described in Step.3

So Tomy types command below to verify the singnature of Mr. Bozz:

tomy@PC001x /home/tomy $ gpg --verify contract.txt.gpg 
gpg: Signature made Tue 02 Jul 2013 03:00:40 PM CEST using RSA key ID B06521C9
gpg: Can't check signature: public key not found

The above information shows that gpg can not verify the signature, since it is missing the public key of Mr. Bozz public. 

When Tomy tries to read  or show the content of the  contract "contract.txt.gpg", he will find that the file is actuall encrypted, and not readable. 
So now Tomy needs to ask Mr. Bozz  for his public key.

Step7. Mr. Bozz exports his public and send it to Tomy

Mr. Bozz exports his public key as file "bozz.asc" usingm command:

 bozz@PC007x /home/bozz $ gpg -a --export >  bozz.asc

A file "bozz.asc" is genereated with the content below:
Version: GnuPG v1.4.11 (GNU/Linux)

CADAgZmDbU1PkJguIxq/j0fzJirGrE1k/U1rp4asQuKiU3WcVJ07h++yAwcvFz1 J


Mr. Bozz sends his public key, i.e. the file "bozz.asc" to Tomy

Step8. Tomy  imports Mr. Bozz into gpg as trusted key:

tomy@PC001x /home/tomy $ gpg --import bozz.asc

Step9. Tomy tries to verify file "contract.txt.gpg" again:

tomy@PC001x /home/tomy $gpg --verify contract.txt.gpg 
gpg: Signature made Tue 02 Jul 2013 03:00:40 PM CEST using RSA key ID B06521C9
gpg: Good signature from "Im Bozz (blabla) <bozz@goople.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 850F 0E98 AF5E 4CD3 D9A9  0E1A 986D BCE7 B065 21C9

Step10. Tomy extracts the content from "contract.ext.gpg: 

tomy@PC001x /home/tomy $ gpg --output my_contract.txt --decrypt contract.txt.gpg 
gpg: Signature made Tue 02 Jul 2013 03:00:40 PM CEST using RSA key ID B06521C9
gpg: Good signature from "Im Bozz (blabla) <bozz@goople.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 850F 0E98 AF5E 4CD3 D9A9  0E1A 986D BCE7 B065 21C9

A new file "my_contrct.txt" is created,  Tomy can just show the file content with less command:
tomy@PC001x /home/tomy $ less  my_contrct.txt

This is a contract between Mr. Tomy and GooPle ...
my_contrct.txt (END)

We are almost done here.
When we take another look at the verification information in step 9, we will see there is a warning says:

"WARNING: This key is not certified with a trusted signature!  There is no indication that the signature belongs to the owner. "

This is because, the GPG utility of Tomy complains the public key of Mr. Bozz, is not certified by a known third party, a CA(Certificate Authority).  The get away with the warning,  Mr. Bozz need to have his public key file again signed by a thirty party, whom Tomy trust, i.e. Tomy had imported the 3 party's public key in his GPG utility.

We assume, Jerry is someone wo Tomy trust, so Tomy will import Jerry's public key by:

tomy@PC001x /home/tomy $ gpg --import jerry.asc

Step11. Mr. Bozz send his public key to Jerry 

Step12. Jerry signs  Mr. Bozz public key

Jerry imports Bozz's public key to his GPG utility:

jerry@PC001x /home/jerry $ gpg --import bozz.asc

Jerry sign Mr. Bozz' public key using :
jerry@PC001x /home/jerry $ gpg --sign-key B06521C9

Here B06521C9 is the id of Mr Bozz' key.

Jerry export Mr. Bozz's key as file:

jerry@PC001x /home/jerry $  gpg -a --export B06521C9 >  bozz_signed.asc

The public key of Mr. Bozz is now signed by jerry, and stored  in file "bozz_signed.asc"

Step13. Mr. Bozz  signe the contract again.import the signed key "bozz_signed.asc"

Mr. Bozz imports the signed key sign the contract again, and send the contract to Tomy

Step14. Tomy verify the new contract file

 tomy@PC001x /home/tomy $  gpg --verify samp.txt.gpg 

gpg: Signature made Wed 03 Jul 2013 11:09:12 AM CEST using RSA key ID B06521C9

gpg: Good signature from "Im Bozz (blabla) <bozz@goople.com>"



  1. This is an awesome post. I carefully read and understood all the steps and to my surprise I performed this task in single run. I was so worried before trying it. Thanks to you.
    what is a digital signature

    1. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Java developer learn from Java Training in Chennai. or learn thru Java EE Online Training from India . Nowadays Java has tons of job opportunities on various vertical industry.

  2. Hi Jimmy,

    I am glad you like it.


  3. Thank you very much for this post. Your posts are the useful thing which we all are looking for that kind information.
    digital marketing services in india

  4. In the last few months we've seen a lot of Health Care Reform rules and regulations being introduced by the Health and Human Services Department. Every time that happens, the media gets hold of it and all kinds of articles are written in the Wall Street Journal, the New York Times, and the TV network news programs talk about it. All the analysts start talking about the pros and cons, and what it means to businesses and individuals. Health is God

  5. I think this is a real great article post.Really looking forward to read more. Visit at
    Crazy Video Hub

  6. Nutra Trials defines personal characteristics of different health products including skincare, weight loss, muscle and male enhancement. The study presented here is briefly described for reader convenience and to deliver them assurance with health standards. The best possible answers are given here regarding the selection of an ideal supplement or cream or serum that possibly remains to be safe for health and do not cause any side effects.

  7. It is a great job, I like your posts and wish you all the best. and I hope you continue this job well.
    NutraT line

  8. Very useful post and I think it is rather easy to see from the other comments as well that this post is well written and useful. I bookmarked this blog a while ago because of the useful content and I am never being disappointed. Keep up the good work..
    kim kardashian sex tape
    porn sex video hd
    mia khalifa sex video
    sunny leone sexy movie