Use of PGP to sign distributed files

Neil Williams linux at
Mon Dec 20 12:25:20 CET 2004

On Saturday 18 December 2004 12:14 pm, Daniel Briley wrote:
> Hi,
> I'm looking to distribute some text files on a peer to peer network
> containing some information. The problem I have is that with p2p being a
> public system, people can easily create and share bogus versions of your
> file. I've been looking into a way to digitally sign my files to ensure
> their authenticity once downloaded by a user.

That's why packages on websites are often signed using GnuPG, so yes, it is 
suitable in general terms. You create a detached signature (gpg -ab) and post 
that alongside the file - it is given the same name with a .asc extension by 

Try downloading and verifying some packages yourself - to start you off, look 

> Also, in the future I've thought about possibly creating an app to run

Signatures can be verified automatically as long as the public key is 

> these checks automatically. Would you recommend using portions of the GnuPG
> code in my app for this?

Don't split the code - use it as it is and use the functionality from the 
program. Look at man gpg and the options:

gpg --verify  sigfile [files]
                 Verify the signature of the file but do not output the data. 
The second form is used for detached signatures,  where sigfile is the 
detached signature (either ASCII armored or binary) and [files] are the 
signed data; if this is not given, the name of the file holding the signed 
data is constructed by cutting off the extension (".asc" or ".sig") of 
sigfile or by asking the user for the filename.


Neil Williams

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20041220/30218bbb/attachment.bin

More information about the Gnupg-users mailing list