Note that you will need to have GnuPG (GPG) installed before starting the tutorial.
In my previous article we spoke about signing and verifying a document or file using PGP/GPG. In this article I will show you how to clearsign a message.
The theory behind this is very similar to that of the signing a file, only that clearsigning allows you to sign messages not files. This is ideal for when you want to sign a Tweet, a blog post, or anything else of that nature.
GPG describes this method like this:
A common use of digital signatures is to sign usenet postings or email messages. In such situations it is undesirable to compress the document while signing it. The option --clearsign causes the document to be wrapped in an ASCII-armored signature but otherwise does not modify the document.
To create a clearsign, use this command:
gpg --clearsign doc.txt
Where "doc.txt" is the file that contains the message you want to clearsign. This will output a "doc.txt.asc" file which, when opened by Notepad or any other text editor, will have the message with the signature in the below form:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello, this is a PGP clearsigned message.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQCxI0qdhZJRpAJYTrByv1tlgaf3S0Y08vh/qU6P4H/1IHij12+gUul9Y9x86Uo9Ko
yKmaXFF6wFZtepBG5Dgbi//8kvi7I6ynZctsB7wib9yoUfmqJoxPwXOD8al0qHm3
1bCxI0qdhZJRpAruVOnfzKMQDhUceR/VWK6wEtUehXgW+4fiUCTmboNz2cnv1 9vQ+eZrtbrq2aZvzKMQDhUc+r2dH5BTdLOXfPEqRLuWMIGQMJHyNFS4JAOWfdYnP
YyPMD880lhKl+8bLI/XZMih6f+9jOkFE8wFHN+UAVVn5sZ6TwmDJCFAxdLbQDvs/
OWQTJDDxIkxaDaS0vwrJ4L+m2yv1tlgaf3S0Y08vh/qUYn1Ov3Y6X0Rl/CQnq3M=
=jSBM
-----END PGP SIGNATURE-----
You can now copy all of this text over, and you have a clearsigned message!
To verify a clearsigned message, simply input this command:
gpg --verify doc.txt.asc
And it will tell you if it is verifiable. It will give you a warning about the file not having a detached signature, but you can disregard that warning if the first line says "good signature" or something to that degree.
Bonus: How to create a detached signature
GPG describes this method:
A signed document has limited usefulness. Other users must recover the original document from the signed version, and even with clearsigned documents, the signed document must be edited to recover the original. Therefore, there is a third method for signing a document that creates a detached signature. A detached signature is created using the --detach-sig option.
To create a detached signature, simply input this command:
gpg --output doc.sig --detach-sig doc.txt
Where "doc.txt" is the document you want to detach-sign and doc.sig is the detached signature.
Verifying such a document (using both the document and the detached signature file) can be done so:
gpg --verify doc.sig doc.txt
Bam, you're done!
I wanted that one.. thank you very much.
Any ideas how to get rid of that warning?