Signing files

Fri Jan 14 23:48:14 CET 2005

On Friday 14 January 2005 9:24 pm, Mark Ivs wrote:
> Hello,
> Can you llease clarify this...
>
> Lets say, I have GnuPG installed in machine A. I
> created a public key from machine A and I sent it to
> my customer. I received their Public key also.

Don't forget, when you create a key you create a secret key too - that's what 
signs the file and you never need to send that to anyone. The public key is 
sufficient to verify the signature without being able to create it.

> I need to encrypt and sign the files and put it in my
> ftp site and my customer will ftp it from there.

Home machine: has your keypair, public and secret and the public key for the 
customer. Sign and encrypt the files here.
FTP host: No need to install GnuPG, just copy the signed and encrypted files 
to that machine.
Customer: Downloads the files using FTP to his local machine. His copy of your 
PUBLIC key verifies the signature, his SECRET key decrypts the contents.

If I signed and encrypted an email to you, I'd sign and encrypt it here where 
both my public and secret keys exist. None of the servers in between need 
know anything about GnuPG to handle the email, it just gets copied around 
(intact) from one to another until it arrives in your inbox. You then verify 
the signature on the email using a copy of my public key and you decrypt the 
contents using your secret key. That's all there is to it.

> I am going to encrypt the files using their public key
> and sign it using my private key.

You sign it on your local machine and send it to the FTP site already signed. 
The FTP server does NOT need to do anything to the file(s) except make it 
available.

>
> The problem is, this encryption program will run on
> Machine B.

? So? That doesn't stop you signing the files on your local machine (whichever 
that is) and sending the files signed! 

Signed files only need GnuPG when they need to be verified - i.e. by the 
recipient. The server knows nothing about GnuPG and that's the way it should 
stay.

> I have installed GnuPG in Machine B also. I  
> am thinking I can add the public key created from
> Machine A to my key ring in Machine B.

No need. The files are already signed and encrypted, the machines in between 
don't need to know anything about the contents of the file or the encryption.

The customer already has your public key, that's all that is required.

Keep your secret key where it is and sign the files on that machine. 

> I know the 
> passphrase for the key I generated from Machine A. For
> me to sign the files, do I need anything else from
> Machine A?

Sign the files ON Machine A! There is no reason to sign anywhere else. Sign 
where the secret key was created, don't copy the secret key to any remote 
machines and copy the files to the FTP server, already signed.

> private key or other files?? 
>
> Please let me know. Thanks in advance.

-- 

Neil Williams
=============
http://www.dcglug.org.uk/
http://www.nosoftwarepatents.com/
http://sourceforge.net/projects/isbnsearch/
http://www.williamsleesmill.me.uk/
http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050114/83375d92/attachment.pgp