Use of PGP to sign distributed files
linux at codehelp.co.uk
Mon Dec 20 12:25:20 CET 2004
On Saturday 18 December 2004 12:14 pm, Daniel Briley wrote:
> I'm looking to distribute some text files on a peer to peer network
> containing some information. The problem I have is that with p2p being a
> public system, people can easily create and share bogus versions of your
> file. I've been looking into a way to digitally sign my files to ensure
> their authenticity once downloaded by a user.
That's why packages on websites are often signed using GnuPG, so yes, it is
suitable in general terms. You create a detached signature (gpg -ab) and post
that alongside the file - it is given the same name with a .asc extension by
Try downloading and verifying some packages yourself - to start you off, look
> Also, in the future I've thought about possibly creating an app to run
Signatures can be verified automatically as long as the public key is
> these checks automatically. Would you recommend using portions of the GnuPG
> code in my app for this?
Don't split the code - use it as it is and use the functionality from the
program. Look at man gpg and the options:
gpg --verify sigfile [files]
Verify the signature of the file but do not output the data.
The second form is used for detached signatures, where sigfile is the
detached signature (either ASCII armored or binary) and [files] are the
signed data; if this is not given, the name of the file holding the signed
data is constructed by cutting off the extension (".asc" or ".sig") of
sigfile or by asking the user for the filename.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20041220/30218bbb/attachment.bin
More information about the Gnupg-users