2 ways of signing files

Mark Kirchner mail at mark-kirchner.de
Sat Jan 15 19:20:02 CET 2005


On Saturday, January 15, 2005, 6:26:00 PM, Mark wrote:
> I would like to know if there are 2 ways of signing.
> Please take a look at the following scenarios.
> Scenario 1:
> I add Blake's public key to my key ring. I can do the
> following 2 steps to edit and sign Blake's public key.
> 1. gpg --edit-key blake at cyb.org
> 2. Command>> sign
> This will sign the key. So, now I can encrypt the file
> by doing the following...
> 'gpg --recipient "blake at cyb.org" --output
> $rootpath\\$filepgp --encrypt
> $rootpath\\encrypted\\$datafile`
> When Blake gets the encrypted file, does it mean that
> the file is also signed?

No. You signed Blake's key, but not "$datafile".

> Scenario 2:
> I can encrypt and sign by doing the following.
> 'gpg --recipient "XXX" --output $rootpath\\$filepgp
> --sign --encrypt $rootpath\\encrypted\\$datafile`

This time you signed "$datafile" (but not Blake's key).

> Can someone please tell me if scenario 1 and 2 are
> basically doing the same thing?

Absolutely not.

Signing a key (scenario 1) means: "I certify that this key belongs to
Blake". You should (normally) do this only if you are _absolutely_
sure that the keyholder (in control of the (secret) key that says it
belongs to "Blake") is really "Blake". Usually this involves meeting
with Blake, checking government issued ID, verifing the fingerprint of
the key and making sure that Blake is in control of the E-Mail-Adress
that is associated with the user-id "Blake".

Signing data (scenario 2) is used to make sure that no one (except
yourself) can modify the signed data without your signature becoming


Mark Kirchner

Key (0x19DC86D3): http://www.mark-kirchner.de/keys/key-mk.asc

More information about the Gnupg-users mailing list