Tuesday, July 2, 2013

Create Document with Digital Signature using GPG on Linux

Document  Version 1.0
Copyright © 2012-2013 beijing.beijing.012@gmail.com

My friend Tomy has got an offer from GooPle, greate, isn't it?  GooPle!  On the Phone, the HR manager, Mr. Bozz of GooPle says, he will sign the contract and send it to Tomy right away as post. But at the same time, Mr. Bozz also pointed out, that Tomy should sign the contract and send it back to GooPle in 8 hours.  8 hours? Tomy is even not sure if he could receive the post in 8 hours, since he is living in a small village, the post man comes only once a week...

Of course Tomy do not want to miss this chance, by GooPle. "Sorry sir,  but could you sign it and send me as file, and I will sign it with digital signature, so you would get the signed contract in  20 minutes "
"Yes, of course ..."

In the following section, I will show step by step, how does Mr. Bozz prepare the contract, sign it with his digital signature, and how will Tomy verify the signature, and extract the original content of the contract, otherwise the content is encrypted and not readable.

Step 1. Mr. Bozz prepare the original contract, and save the file as "contract.txt" :


"This is a contract between Mr. Tomy and GooPle ..."

Step 2. Mr. Bozz sign the "contract.txt" file with his digital signature


Mr. Bozz's computer is a Linux (Mint 14) machine, he knows there is a tool under linux called "GPG (GNU Privacy Guard)", which could be used to create digital signature.

He opens a terminal and types following command:

bozz@PC007x /home/bozz $ gpg --sign contract.txt

Console output shows:

gpg: directory `/home/tomy/.gnupg' created
gpg: new configuration file `/home/tomy/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/tomy/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/tomy/.gnupg/secring.gpg' created
gpg: keyring `/home/tomy/.gnupg/pubring.gpg' created
gpg: no default secret key: secret key not available
gpg: signing failed: secret key not available


GPG complains here it can not find the private and public key of Mr. Bozz, but these keys are need for creating digital signature.

Step3. Mr. Bozz creates his  private and public key:


To generate keys, Mr. Bozz types following command in the terminal:

bozz@PC007x /home/bozz $ gpg --gen-key

Terminal output:

gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?

Type 1 in the terminal and return: 


RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 

Return to take the default key long.

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)

Type return to take the default expire time, i.e. never expires:

Is this correct? (y/N)

Type y and continue with name and email:


You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: bozz
Name must be at least 5 characters long
Real name: Im Bozz
Email address: 

Email address: bozz@goople.com

Comment: blabla

You selected this USER-ID:
    "Im Bozz (blabla) <bozz@goople.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? 

type "O" and return to set 123 as password:

You need a Passphrase to protect your secret key.

gpg: gpg-agent is not available in this session
Enter passphrase: 

123
123

gpg: gpg-agent is not available in this session
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 236 more bytes)
..

Move your mouse, or type something with keybord in another terminal, and you will see the gpg process proceeds:

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 104 more bytes)
..+++++
gpg: /home/tomy/.gnupg/trustdb.gpg: trustdb created
gpg: key 324B99FD marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/324B99FD 2013-07-03
      Key fingerprint = 5799 923C 4123 523E 0567  794F 2E52 B3F5 324B 99FD
uid                  Im Bozz (blabla) <bozz@goople.com>
sub   2048R/A57E911C 2013-07-03

Now the keys are generated.

Step4. Mr. Bozz try sign the contract again:



bozz@PC007x /home/bozz $ gpg --sign contract.txt


You need a passphrase to unlock the secret key for
user: "Im Bozz (blabla) <bozz@goople.com>"
2048-bit RSA key, ID 324B99FD, created 2013-07-03

gpg: gpg-agent is not available in this session
Enter passphrase: 


Enter "123" as password, return. The signed contract file is created as "contract.txt.gpg" 

 bozz@PC007x /home/bozz $ ls
contract.txt  contract.txt.gpg


Step5. Mr. Bozz send the "contract.txt.gpg" file to Tomy.



Step6. Tomy tries to verify file "contract.txt.gpg"



To verify the file is really from Mr. Bozz from GooPle, Tomy can use GPG utilities.  We assume has GPG installed on his machine, and he has created his public and private key as described in Step.3

So Tomy types command below to verify the singnature of Mr. Bozz:

tomy@PC001x /home/tomy $ gpg --verify contract.txt.gpg 
gpg: Signature made Tue 02 Jul 2013 03:00:40 PM CEST using RSA key ID B06521C9
gpg: Can't check signature: public key not found

The above information shows that gpg can not verify the signature, since it is missing the public key of Mr. Bozz public. 

When Tomy tries to read  or show the content of the  contract "contract.txt.gpg", he will find that the file is actuall encrypted, and not readable. 
So now Tomy needs to ask Mr. Bozz  for his public key.


Step7. Mr. Bozz exports his public and send it to Tomy



Mr. Bozz exports his public key as file "bozz.asc" usingm command:

 bozz@PC007x /home/bozz $ gpg -a --export >  bozz.asc


A file "bozz.asc" is genereated with the content below:
===========
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

mQENBFHSzPABCADfOFyUJOpm+oMx0MgP6cZy1vMLkPpNNwMFTcdBxswx5t9w77XL
jPR1vw7GytLebmIYQ66NcJX3XETLHHcsSCEZF4ueAGbi/XSeBRWA/hSNGHRORkXa
Mvmq1uTq+aUbP/teOgfnEJCV1Rn5u1IP9W7GfJM7vNmfgBVwTj464zoePJjiF6Le
5Wwhkove2hURokltQJSJxFFfEEkEfrRqmAtzKGxxD2UXfAxp+/g1ULFl6J/1zDHN
Gdv9M6ppT9limlNCAwcRnas+bBvsyNF7sY+5CgX2rc6gusAcqXayqq1Ax5gnkE8V
14IJVyMbjeY+t84iWAi1eiva/Oq4b7W1dg/7ABEBAAG0Gm1vYmlsZWdhdGUgKG1n
KSA8bWdAbWcuZGU+iQE4BBMBAgAiBQJR0szwAhsDBgsJCAcDAgYVCAIJCgsEFgID
AQIeAQIXgAAKCRCYbbznsGUhycDmB/9+xPPIG2+Q5CqlmYqhgG3xsX0mQQW85w0r
LHJ3ix6Ah51u88OjvQ+57lkP+bE8EGOk6SGn/49OPM1DE5rAczDn9jdbfn8tVJ6k
pD1JKIPKC9yDhAmxGcRlzTPATJOYva4DMzNa7xFJTy4e97k2xgibESt0E6sh6EF5
ZtWJHyBAtdvCdZcLQy4bEAW6wOrGPv3T/tr/nW71hD96aGfiluRQ1Y3WfH15nc/u
CVEJlXmGP2NHHqYVjReMbPqEFfDlh+/tQ+0nvwYHc8p/Ixk6FbAUcbDXaNibZTZN
fS3F3CO7Oz/u5LM4CbOpTyqMSK6AlMU4kJECHdAAAcMyA4d2jM/guQENBFHSzPAB
CADAgZmDbU1PkJguIxq/j0fzJirGrE1k/U1rp4asQuKiU3WcVJ07h++yAwcvFz1 J
RHMyi8qm+Vvbz+wc7ZMUgzbFtH4xvYyNjxkF102crjdaWsIRK9aw5okZI48DK3kN
lPR2VnwzU6wr6sP77Nr3avFlcIqTFIRAsj9Z2cuMIh8SQ1yzye38ukcodK5zJl5S
28wyPX59raUOUn6Mm3vlzGAY80m299jgUCLx0TEl/D6nF8T98bZSRqG1xxnwcJGE
EjvsibzgJ1b6EZ66KHQY4200+gDMeo6MN6PB9TbL8jhViBpAaRAMoL+eoLAWTIq0
AFdEpvWmUSbRPXiKdA4UszebABEBAAGJAR8EGAECAAkFAlHSzPACGwwACgkQmG28
57BlIcmY8gf/UJDDYBV+b6Mpwh+/PBQFngnxXiLL4P9Wh3C3M2wHSqS7MWmcUG7B
qKPffqJyPvy4yxtOn5UxfJggE/SZo93PWsiRHggeBYu7E6qJoXBI2lyf9KHfE5sL
O6RuQ9OOl8CXh12klCcLzxQUwd42eT68iSS4prCWEIRb0EpLn6cjGAPUBR/rzoqG
gUG1jP9agh338IdTJOALDCldfHz/pua0ZWay8Oqi0Khi+kbpwCCAnrKppj0WAXlj
ju4feVCuOcmwa0TB5QbOZwjJs4wMITDza6wauo0ugitn2XlarWp97H2YmLzsfTTH
kpcAy6oVFGwyS00xBTy9z9Dx2Gc3mOhjug==
=49J7
-----END PGP PUBLIC KEY BLOCK-----

============

Mr. Bozz sends his public key, i.e. the file "bozz.asc" to Tomy

Step8. Tomy  imports Mr. Bozz into gpg as trusted key:



tomy@PC001x /home/tomy $ gpg --import bozz.asc

Step9. Tomy tries to verify file "contract.txt.gpg" again:



tomy@PC001x /home/tomy $gpg --verify contract.txt.gpg 
gpg: Signature made Tue 02 Jul 2013 03:00:40 PM CEST using RSA key ID B06521C9
gpg: Good signature from "Im Bozz (blabla) <bozz@goople.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 850F 0E98 AF5E 4CD3 D9A9  0E1A 986D BCE7 B065 21C9


Step10. Tomy extracts the content from "contract.ext.gpg: 



tomy@PC001x /home/tomy $ gpg --output my_contract.txt --decrypt contract.txt.gpg 
gpg: Signature made Tue 02 Jul 2013 03:00:40 PM CEST using RSA key ID B06521C9
gpg: Good signature from "Im Bozz (blabla) <bozz@goople.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 850F 0E98 AF5E 4CD3 D9A9  0E1A 986D BCE7 B065 21C9

A new file "my_contrct.txt" is created,  Tomy can just show the file content with less command:
tomy@PC001x /home/tomy $ less  my_contrct.txt

This is a contract between Mr. Tomy and GooPle ...
my_contrct.txt (END)

We are almost done here.
When we take another look at the verification information in step 9, we will see there is a warning says:

"WARNING: This key is not certified with a trusted signature!  There is no indication that the signature belongs to the owner. "

This is because, the GPG utility of Tomy complains the public key of Mr. Bozz, is not certified by a known third party, a CA(Certificate Authority).  The get away with the warning,  Mr. Bozz need to have his public key file again signed by a thirty party, whom Tomy trust, i.e. Tomy had imported the 3 party's public key in his GPG utility.

We assume, Jerry is someone wo Tomy trust, so Tomy will import Jerry's public key by:

tomy@PC001x /home/tomy $ gpg --import jerry.asc

Step11. Mr. Bozz send his public key to Jerry 


Step12. Jerry signs  Mr. Bozz public key


Jerry imports Bozz's public key to his GPG utility:

jerry@PC001x /home/jerry $ gpg --import bozz.asc

Jerry sign Mr. Bozz' public key using :
jerry@PC001x /home/jerry $ gpg --sign-key B06521C9

Here B06521C9 is the id of Mr Bozz' key.

Jerry export Mr. Bozz's key as file:

jerry@PC001x /home/jerry $  gpg -a --export B06521C9 >  bozz_signed.asc


The public key of Mr. Bozz is now signed by jerry, and stored  in file "bozz_signed.asc"


Step13. Mr. Bozz  signe the contract again.import the signed key "bozz_signed.asc"


Mr. Bozz imports the signed key sign the contract again, and send the contract to Tomy

Step14. Tomy verify the new contract file


 tomy@PC001x /home/tomy $  gpg --verify samp.txt.gpg 

gpg: Signature made Wed 03 Jul 2013 11:09:12 AM CEST using RSA key ID B06521C9

gpg: Good signature from "Im Bozz (blabla) <bozz@goople.com>"


Congratulations!  

4 comments:

  1. This is an awesome post. I carefully read and understood all the steps and to my surprise I performed this task in single run. I was so worried before trying it. Thanks to you.
    what is a digital signature

    ReplyDelete
    Replies
    1. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Java developer learn from Java Training in Chennai. or learn thru Java EE Online Training from India . Nowadays Java has tons of job opportunities on various vertical industry.

      Delete
  2. Hi Jimmy,

    I am glad you like it.

    °_°

    ReplyDelete
  3. Thank you very much for this post. Your posts are the useful thing which we all are looking for that kind information.
    digital marketing services in india

    ReplyDelete