Need some help about GPG signatures... !

guy038

Hello, guys,

Of course, I could have continued to check the integrity, of the downloaded Notepad++ archives, with the SHA-256 check-sum, but I’m curious and decided to have a look at the GPG signatures !

So, reading first, from the N++ link :

https://notepad-plus-plus.org/news/v7.6.5-with-gpg-signatures.html

I downloaded the most recent version of Gnupg software, gnupg-w32-2.2.15_20190326.exe from that site :

https://gnupg.org/ftp/gcrypt/binary/

And, from the end of the page, below, I have recovered the SHA-1 sum of the gnupg-w32-2.2.15_20190326.exe software :

https://gnupg.org/download/integrity_check.html

Its SHA-1 check-sum is f5f7eeadfdf6ad971b5313f045083b4f95ace07b

By a right click on this archive and the choice, in the context dialog, of the CRC - SHA > SHA-1 option ( from 7-zip ) , I could verify that it was the same. Good !

Now, on my old XP SP3 laptop, from the folder C:\Program Files\gnupg\bin, I started, in console mode, gpg.exe --help and it answers :

gpg (GnuPG) 2.2.15
libgcrypt 1.8.4
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:\Documents and Settings\Guy\Application Data\gnupg
Algorithmes pris en charge :
Clef publique : RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Chiffrement : IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256,
              TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256
Hachage : SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression : Non compressé, ZIP, ZLIB, BZIP2

Syntaxe : gpg [options] [fichiers]
Signer, vérifier, chiffrer ou déchiffrer
L'opération par défaut dépend des données entrées

Commandes :

 -s, --sign                  faire une signature
     --clear-sign            faire une signature en texte clair
 -b, --detach-sign           faire une signature détachée
 -e, --encrypt               chiffrer les données
 -c, --symmetric             chiffrement symétrique seulement
 -d, --decrypt               déchiffrer les données (défaut)
     --verify                vérifier une signature
 -k, --list-keys             afficher les clefs
     --list-signatures       afficher les clefs et les signatures
     --check-signatures      afficher et vérifier les signatures de clefs
     --fingerprint           afficher les clefs et les empreintes
 -K, --list-secret-keys      afficher les clefs secrètes
     --generate-key          générer une nouvelle paire de clefs
     --quick-generate-key    générer rapidement une nouvelle paire de clefs
     --quick-add-uid         quickly add a new user-id
     --quick-revoke-uid      quickly revoke a user-id
     --quick-set-expire      quickly set a new expiration date
     --full-generate-key     générer une paire de clefs complètes
     --generate-revocation   générer un certificat de révocation
     --delete-keys           supprimer les clefs du porte-clefs public
     --delete-secret-keys    supprimer les clefs du porte-clefs secret
     --quick-sign-key        signer rapidement une clef
     --quick-lsign-key       signer rapidement une clef localement
     --sign-key              signer une clef
     --lsign-key             signer une clef localement
     --edit-key              signer ou éditer une clef
     --change-passphrase     modifier une phrase secrète
     --export                exporter les clefs
     --send-keys             exporter les clefs vers un serveur de clefs
     --receive-keys          importer les clefs d'un serveur de clefs
     --search-keys           chercher les clefs avec un serveur de clefs
     --refresh-keys          mettre à jour les clefs depuis un serveur
     --import                importer ou fusionner les clefs
     --card-status           afficher l'état de la carte
     --edit-card             modifier les données d'une carte
     --change-pin            modifier le code personnel d'une carte
     --update-trustdb        mettre la base de confiance à jour
     --print-md              indiquer les fonctions de hachage
     --server                exécuter en mode serveur
     --tofu-policy VALUE     set the TOFU policy for a key

Options :

 -a, --armor                 créer une sortie ASCII avec armure
 -r, --recipient IDENTITÉ     chiffrer pour l'IDENTITÉ
 -u, --local-user IDENTITÉ    utiliser l'IDENTITÉ pour signer ou déchiffrer
 -z N                        niveau de compression N (0 désactive)
     --textmode              utiliser le mode texte canonique
 -o, --output FICHIER        écrire la sortie dans le FICHIER
 -v, --verbose               bavard
 -n, --dry-run               ne rien modifier
 -i, --interactive           demander avant d'écraser un fichier
     --openpgp               utiliser le comportement strict d'OpenPGP

(Consultez la page de manuel pour obtenir une liste complète des commandes
et options)

Examples:

 -se -r Bob [file]          sign and encrypt for user Bob
 --clear-sign [file]        make a clear text signature
 --detach-sign [file]       make a detached signature
 --list-keys [names]        show keys
 --fingerprint [names]      show fingerprints

Veuillez signaler toutes anomalies sur <https://bugs.gnupg.org> (en anglais)
et tout problème de traduction à <traduc@traduc.org>.

C:\Program Files\gnupg\bin (20:50:52)

Right ! ( Of course, it’s in French, sorry ! )

Then, following the N++ GPG-signatures page, I verified that the Key fingerprint value of the Release Key, below :

Signer: Notepad++
E-mail: don.h@free.fr
Key ID: 0x8D84F46E
Key fingerprint: 14BC E436 2749 B2B5 1F8C 7122 6C42 9F1D 8D84 F46E
Key type: RSA 4096/4096
Created: 2019-03-11
Expiries: 2021-03-10

was identical from the 4 indicated sites, i.e. the value 14BC E436 2749 B2B5 1F8C 7122 6C42 9F1D 8D84

Well ! I decided to have a try :

First, I downloaded the two files npp.7.6.5.bin.7z and its signature npp.7.6.5.bin.7z.sig, in a same location ( D:\Téléchargements ), as stated.
Then, as specified at the beginning of the page https://gnupg.org/download/integrity_check.html , I type, in console mode, the similar command :

"C:\Program Files\gnupg\bin\gpg.exe" --verify npp.7.6.5.bin.7z.sig npp.7.6.5.bin.7z

And I got :

gpg: Signature faite le 03/30/19 20:40:08 Paris, Madrid
gpg:                avec la clef RSA 14BCE4362749B2B51F8C71226C429F1D8D84F46E
gpg: Impossible de vérifier la signature : Pas de clef publique
D:\Téléchargements (21:40:54)

The last French phrase means : Can’t check signature: No public key

But, in the N++ GPP signatures page, it is said, just before the Validating Digital Signature paragraph :

Then sign the Release Key with your private key and set the level of trust which you like.

So I’m really confused : one speaks abour private key and the gpg software speaks about public key !? I feel stuck, wondering which way to go !

I also see, in the page, below, at the paragraph Integrity & Authenticity validation :

https://notepad-plus-plus.org/download/v7.6.5.html

a link to the GPG Notepad++ Public key :

https://notepad-plus-plus.org/gpg/nppGpgPub.asc

but I don’t see how to use this public key with the gpg.exe software ! Of course, it’s my first immersion in that field and, may be, I should read general articles, about cryptography to begin with !

Oh ! , I’ve just seen that Don have modified the article, adding pictures of GPG4Win and PGP Desktop ! So, I would rather use the GPG4Win software, instead of the console version !

So, please, do not be in a hurry to answer me. I’m still digging into the problem ;-)) I’ve got some elements but I don’t know how to gather them up ! Really disconcerting ;-))

Best regards,

guy038

PeterJones

@guy038,

since it’s my fault he started using gpg, I’ll try to help. :-)

First, it’s okay to use the command-line. I did. (I don’t like the Kleopatra GUI; if I’m going to do GUI, I use the GPG4Win version of GPA, not of Kleopatra… but I’m weird that way.)

First, you need to have the Notepad++ public key added to your keyring. To do so, you can either download https://notepad-plus-plus.org/gpg/nppGpgPub.asc, saving to your working directory, and use gpg --import nppGpgPub.asc . Alternately (and the way I would recommend) is to use gpg --search-keys 14BCE4362749B2B51F8C71226C429F1D8D84F46E (*: that’s the whole fingerprint, which you quoted above): it should list only one match. Then do gpg --receive-keys 14BCE4362749B2B51F8C71226C429F1D8D84F46E, which will put it in your keyring.

At this point, if you tried to verify the signature (I’ll do the .zip, not the .7z, since that’s what I have):

C:\usr\local\apps\npp.installers>gpg --verify npp.7.6.5.bin.x64.zip.sig npp.7.6.5.bin.x64.zip
gpg: Signature made 03/30/19 12:40:11 Pacific Daylight Time
gpg:                using RSA key 14BCE4362749B2B51F8C71226C429F1D8D84F46E
gpg: Good signature from "Notepad++ <don.h@free.fr>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 14BC E436 2749 B2B5 1F8C  7122 6C42 9F1D 8D84 F46E

You would see “good signature” but “WARNING: THis key is not certified with a trusted signature!”

The “good signature” is an indication that the .sig matches the downloaded file. The “WARNING” is because you have not told gpg that you trust Notepad++ don.h@free.fr’s signature. In an ideal world, before doing any of the following, you would independently verify from Don himself that 14BCE4362749B2B51F8C71226C429F1D8D84F46E is the fingerprint of his key (in person, on an encrypted phone line, or something similar). In a less-than-ideal world, because you can verify that the same person has access to both the notepad++ website and the notepad++ github repo, and posted the same fingerprint in both locations, you have a certain level of belief that it’s the right fingerprint for Notepad++ development.

At this point, you can either live with the warning (if you are paranoid in the less-than-ideal world). Or you can “sign” the Notepad++ public key (using your private key). There are two levels of signing it: you could sign it locally, which would just make tell your keyring that you “trust” the key… but your local-signing wouldn’t be able to go out in public to give public approval of his signature. (You will want to research the Web of Trust to find out more about that.) I will assume a local signing for now. (If you ever want to change to a non-local signing, that’s easy to do.)

gpg --lsign-key 14BCE4362749B2B51F8C71226C429F1D8D84F46E, then reply “y” to indicate you really want to: this will locally sign it. Now, if you redo the verification,

C:\usr\local\apps\npp.installers>gpg --verify npp.7.6.5.bin.x64.zip.sig npp.7.6.5.bin.x64.zip
gpg: Signature made 03/30/19 12:40:11 Pacific Daylight Time
gpg:                using RSA key 14BCE4362749B2B51F8C71226C429F1D8D84F46E
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   3  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   3  signed:   0  trust: 1-, 0q, 0n, 0m, 2f, 0u
gpg: next trustdb check due at 2021-03-11
gpg: Good signature from "Notepad++ <don.h@free.fr>" [full]

It no longer gives the warnings.

(*: Footnote: in the old days, they used to only use the last 8 hex digits of the fingerprint as the a shorthand, so many tutorials would have said 0x8D84F46E; but in modern days, there have been collisions in those last 8 digits, so it’s safest to use the full fingerprint, to avoid ambiguity. )

Meta Chuh

hi @guy038

whenever i hear gpg i feel like a caveman that sees an airplane for the first time ;-)
but maybe @saelic has an answer, if you need even more information than provided by @PeterJones .

in the mean time, maybe there’s some information at the github gpg discussion that could be useful: https://github.com/notepad-plus-plus/notepad-plus-plus/issues/2524

it’s currently all way above my capabilities.

PeterJones

(sorry about the multiedit to my post; akismet was getting in the way at first, and I had to cut some out, post, then paste it back in, and repost; and then I missed part of it, so had to grab my original from my NPP window, and re-edit/post again.)

guy038

Hi, @peterjones, @meta-chuh and All,

Off topic : Sorry I have not been around in the last few days, as I’ve been pretty busy… modifying my kitchen worktop, due to the installation of a new induction cooktop ( not yet finished…! )

Thank you very much, Peter, for your valuable advice. You put me on the right direction ;-))

Of course, I read some articles on gpg software, from current documentation :

https://gnupg.org/documentation/manuals/gnupg/

https://gnupg.org/documentation/manuals/gnupg/Option-Index.html#Option-Index

And from the old documentation :

https://www.gnupg.org/gph/en/manual/book1.html

I also got some pieces of information from, these two sites :

http://www.amssolarempire.com/Documents/GPGHowto3.htm

http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/

Finally, I found out some valuable information, about all these cryptographic notions, in chapters 2, 4, 24 and 25, of the complete pdf manual of Gpg4 Win ( the Windows-GUI version of gpg.exe ), below, that you may download :

https://files.gpg4win.org/doc/gpg4win-compendium-en.pdf

So, roughly, from what I understand :

A GPG certificate contents two parts :
- A secret or private key, which must be kept totally secret !
- A public key, which should be totally public !
Encryption / Decryption process, based on the certificate of the recipient ( User B ) :
- User A crypts a file with the public key part, of a certificate of User B ( previously sent to User A, by User B )
- Later, User B can decrypts this file, with the private key part of his own certificate ( B )
Signing process, based on the certificate of the sender ( User A ) :
- User A creates a signature of a file with the private key part of his own certificate ( A ).
- Later, User B can authenticate this signature, with the public key part of the certificate of User A ( previously sent to User B, by User A )

Now, I’ll try to explain the different steps and GPG commands that I have used ! Sorry, because almost all output text is, partially, in French ;-)) I tried to translate the main messages.

Peter, you omitted to mention the creation of a first key pair. But, as it’s needed to sign a key, I think it’s better to generate a key-pair first, anyway.

So I began, using the --gen-key command :

>gpg --gen-key
gpg (GnuPG) 2.2.15; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Remarque : Utilisez « gpg --full-generate-key » pour une fenêtre de dialogue de génération de clef complète.

GnuPG doit construire une identité pour identifier la clef.

Nom réel : guy038
Adresse électronique : xxxx.xxx@gmail.com
Vous avez sélectionné cette identité :
    « xxxxxx <xxxx.xxx@gmail.com> »

Changer le (N)om, l'(A)dresse électronique ou (O)ui/(Q)uitter ? o
De nombreux octets aléatoires doivent être générés. Vous devriez faire
autre chose (taper au clavier, déplacer la souris, utiliser les disques)
pendant la génération de nombres premiers ; cela donne au générateur de
nombres aléatoires une meilleure chance d'obtenir suffisamment d'entropie.
De nombreux octets aléatoires doivent être générés. Vous devriez faire
autre chose (taper au clavier, déplacer la souris, utiliser les disques)
pendant la génération de nombres premiers ; cela donne au générateur de
nombres aléatoires une meilleure chance d'obtenir suffisamment d'entropie.
gpg: clef 1B9616F3F01385D1 marquée de confiance ultime.
gpg: répertoire « C:/Documents and Settings/Guy/Application Data/gnupg/openpgp-revocs.d » créé
gpg: revocation certificate stored as 'C:/Documents and Settings/Guy/Application Data/gnupg/openpgp-revocs.d\245CFFF794538086A34E1E5B1B9616F3F01385D
1.rev'
les clefs publique et secrète ont été créées et signées.

pub   rsa2048 2019-04-04 [SC] [expire : 2021-04-03]
      245CFFF794538086A34E1E5B1B9616F3F01385D1
uid                      xxxxxx <xxxx.xxx@gmail.com>
sub   rsa2048 2019-04-04 [E] [expire : 2021-04-03]

After entering yes, you’ll be asked to enter a “passphrase”. Be creative using more than 12 characters, different case-letter, digits and symbols, based on a phrase relative to one event of your *life, for instance !

Remark : I calculated that, with my 16-chars chosen password, taken from the list of ASCII chars, except for the control chars, there are 96 ^ 16 = 52,040,292,466,647,269,602,037,015,248,896 possibilities. So, even if a computer could test 10^12 combinations per second ( or 1,000 computers could test 10^9 combinations per second ) , it would take 52,040,292,466,647,269,602 seconds or about 1,650 billion years to test all the possibilities !!

After validating your “passphrase”, you’ll be asked to type on your keyboard or move the mouse around and click, in order to seed a random number for the key generating process !

After a while, I got the confirmation message “The public and secret keys have been created and signed”. A key size of 2048 bytes has been used, by default.

Note : I could have used the gpg --full-gen-key command, which, in addition, allows you to choose the key type and size, as described below :

>gpg --full-gen-key
gpg (GnuPG) 2.2.15; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Sélectionnez le type de clef désiré :
   (1) RSA et RSA (par défaut)
   (2) DSA et Elgamal
   (3) DSA (signature seule)
   (4) RSA (signature seule)
Quel est votre choix ? 1
les clefs RSA peuvent faire une taille comprise entre 1024 et 4096 bits.
Quelle taille de clef désirez-vous ? (2048) 4096
La taille demandée est 4096 bits
Veuillez indiquer le temps pendant lequel cette clef devrait être valable.
         0 = la clef n'expire pas
      <n>  = la clef expire dans n jours
      <n>w = la clef expire dans n semaines
      <n>m = la clef expire dans n mois
      <n>y = la clef expire dans n ans
Pendant combien de temps la clef est-elle valable ? (0) 0
La clef n'expire pas du tout
Est-ce correct ? (o/N) o

GnuPG doit construire une identité pour identifier la clef.

Nom réel : Smith001
Adresse électronique : ^C
...
...

Then, I imported the public key of Notepad++, with the command gpg --import

>gpg --import nppGpgPub.asc
gpg: clef 6C429F1D8D84F46E : clef publique « Notepad++ <don.h@free.fr> » importée
gpg:       Quantité totale traitée : 1
gpg:                     importées : 1

So, I verified the signature of my downloaded npp.7.6.5.bin.7z archive, with the --verify command :

>"C:\Program Files\gnupg\bin\gpg.exe" --verify npp.7.6.5.bin.7z.sig npp.7.6.5.bin.7z
gpg: Signature faite le 03/30/19 20:40:08 Paris, Madrid
gpg:                avec la clef RSA 14BCE4362749B2B51F8C71226C429F1D8D84F46E
gpg: Bonne signature de « Notepad++ <don.h@free.fr> » [inconnu]
gpg: Attention : cette clef n'est pas certifiée avec une signature de confiance.
gpg:             Rien n'indique que la signature appartient à son propriétaire.
Empreinte de clef principale : 14BC E436 2749 B2B5 1F8C  7122 6C42 9F1D 8D84 F46E

In English :

Good signature from « Notepad++ <don.h@free.fr> » [unknown]
WARNING: This key is not certified with a trusted signature!
         There is no indication that the signature belongs to the owner.

Now, I tell GPG to trust the Notepad++ signature, from Don Ho, with the gpg --lsign-key command :

>gpg --lsign-key 14BCE4362749B2B51F8C71226C429F1D8D84F46E

pub  rsa4096/6C429F1D8D84F46E
     créé : 2019-03-11  expire : 2021-03-11  utilisation : SC
     confiance : inconnu       validité : inconnu
sub  rsa4096/C7295A84DFABBC55
     créé : 2019-03-11  expire : 2021-03-11  utilisation : E
[ inconnue] (1). Notepad++ <don.h@free.fr>


pub  rsa4096/6C429F1D8D84F46E
     créé : 2019-03-11  expire : 2021-03-11  utilisation : SC
     confiance : inconnu       validité : inconnu
Empreinte clef princip. : 14BC E436 2749 B2B5 1F8C  7122 6C42 9F1D 8D84 F46E

     Notepad++ <don.h@free.fr>

Cette clef va expirer le 2021-03-11.
Voulez-vous vraiment signer cette clef avec votre
clef « xxxxxx <xxxx.xxx@gmail.com> » (1B9616F3F01385D1)

La signature sera marquée comme non exportable.

Voulez-vous vraiment signer ? (o/N) o

It asked me to confirm signing that key with my private key and answer that this signature is marked as non-exportable

Tring again to verify the signature of npp.7.6.5.bin.7z, with the --verify command, I got, this time :

>"C:\Program Files\gnupg\bin\gpg.exe" --verify npp.7.6.5.bin.7z.sig npp.7.6.5.bin.7z
gpg: Signature faite le 03/30/19 20:40:08 Paris, Madrid
gpg:                avec la clef RSA 14BCE4362749B2B51F8C71226C429F1D8D84F46E
gpg: vérification de la base de confiance
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: profondeur : 0  valables :   1  signées :   1
     confiance : 0 i., 0 n.d., 0 j., 0 m., 0 t., 1 u.
gpg: profondeur : 1  valables :   1  signées :   0
     confiance : 1 i., 0 n.d., 0 j., 0 m., 0 t., 0 u.
gpg: la prochaine vérification de la base de confiance aura lieu le 2021-03-11
gpg: Bonne signature de « Notepad++ <don.h@free.fr> » [totale]

For information, I ran the --list-keys, --list-signatures and --list-secret-keys commands :

>gpg --list-keys
C:/Documents and Settings/Guy/Application Data/gnupg/pubring.kbx
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pub   rsa2048 2019-04-04 [SC] [expire : 2021-04-03]
      245CFFF794538086A34E1E5B1B9616F3F01385D1
uid          [  ultime ] xxxxxx <xxxx.xxx@gmail.com>
sub   rsa2048 2019-04-04 [E] [expire : 2021-04-03]

pub   rsa4096 2019-03-11 [SC] [expire : 2021-03-11]
      14BCE4362749B2B51F8C71226C429F1D8D84F46E
uid          [  totale ] Notepad++ <don.h@free.fr>
sub   rsa4096 2019-03-11 [E] [expire : 2021-03-11]


>gpg --list-signatures
C:/Documents and Settings/Guy/Application Data/gnupg/pubring.kbx
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pub   rsa2048 2019-04-04 [SC] [expire : 2021-04-03]
      245CFFF794538086A34E1E5B1B9616F3F01385D1
uid          [  ultime ] xxxxxx <xxxx.xxx@gmail.com>
sig 3        1B9616F3F01385D1 2019-04-04  xxxxxx <xxxx.xxx@gmail.com>
sub   rsa2048 2019-04-04 [E] [expire : 2021-04-03]
sig          1B9616F3F01385D1 2019-04-04  xxxxxx <xxxx.xxx@gmail.com>

pub   rsa4096 2019-03-11 [SC] [expire : 2021-03-11]
      14BCE4362749B2B51F8C71226C429F1D8D84F46E
uid          [  totale ] Notepad++ <don.h@free.fr>
sig 3        6C429F1D8D84F46E 2019-03-11  Notepad++ <don.h@free.fr>
sig   L      1B9616F3F01385D1 2019-04-04  xxxxxx <xxxx.xxx@gmail.com>
sub   rsa4096 2019-03-11 [E] [expire : 2021-03-11]
sig          6C429F1D8D84F46E 2019-03-11  Notepad++ <don.h@free.fr>


>gpg --list-secret-keys
C:/Documents and Settings/Guy/Application Data/gnupg/pubring.kbx
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sec   rsa2048 2019-04-04 [SC] [expire : 2021-04-03]
      245CFFF794538086A34E1E5B1B9616F3F01385D1
uid          [  ultime ] xxxxxx <xxxx.xxx@gmail.com>
ssb   rsa2048 2019-04-04 [E] [expire : 2021-04-03]

Then I tried to export my public key to a plain text file with the --export command and the -a option ( I’ll have to send it to users to enable them to send me back some encrypted messages or files ! )

>gpg --export -a "guy038" > guy038GpgPub.asc

C:\Program Files\gnupg\bin (22:17:36)

>type guy038GpgPub.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFyl+4gBCACXFnrTr5On/3RoANq0UY41UoTzUpyiCbknPcpbMzIWwGQdJUz3
3Xm+jLzK6WZiiZL/9WzfSzTl5iFmH+x/jASbb4X80q8+XpWneKC3hqh+awqBmUT5
JBgABJxijdj5PVCKMKQsDgf0mLgah1Jax7Im/4Ydvc3EkgoWXSNcUVrFtlh4tC+U
FYeFay1mSLUjAxEgQ7XYom91GtxhMiO5dgTo5x8/4Dw8KGSMefnsV2OQI9vUld2H
VLbjCa013MB/4wD3y1QESyFooDZUMeyzXg/zL67XqLf14LPwS0fkcy/PcsdGWtiz
a5QGk4Me5rfgzQxVSO8Df6cXBnl0MvcGjCZXABEBAAG0G2d1eTAzOCA8dGd1eS4w
MzhAZ21haWwuY29tPokBVAQTAQgAPhYhBCRc//eUU4CGo04eWxuWFvPwE4XRBQJc
pfuIAhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEBuWFvPwE4XR
s5IH/R2p2A2RdPf6314uVQSlG6GoXrzv8OBn4oepc7QksVUAFmKJcQjqIfiKEa3a
GV5p4X6GdJVa1BE5LuaGtveSifrhJCm7ABIWGn4K+Tq5IhEg+S2ZZs0d2mKDM0Tm
I6Ph9TLJ0qxYWfV5um/pyVZlTF8E0NafaL6ZkFMWAeCwCOa42pk/SVnX7s6hI9Np
wLk01mxBSnMv32nNPWrMke7TIdd4tEZFTl16hd9Dkl+ypH9fUSiMuW7g8oHBu6R5
MfYtzm9ti1/cA8tD0ID9yU5hWDV1jmqeiPQaH/MuXt5YCYwJaIQLvEpnoEDz/X5Z
2v00QBRCDRUlGbJVaUVbsSKraEy5AQ0EXKX7iAEIANW3k2JOxwE80wkZsPfPhbaL
sLXn2bNPiHYdwLm9MMEMhpgRvXDLPNsFILEyYEerCA+Xu+X9N1ONq58p2Qh0r2Cs
p/7utRYbyQUIAMcvUtt5DMQVaiopIeG9AIw7y8rPFfSSTQXUNBGQeykuVRFKATPt
ny1XlPDURp6P78eixUrLTVuecMeDqLQapT8F0mvePPKNerAWVLm5lhsyMLBxnybK
DtnDE3rXj8UknLx77SyBRwKQ05IWw4gtv7FYDRrGvac1M8hkXQBPdwu5RO2meAgc
ZMMEGIvTXZoZdpqFtV6V/bGnNVE5eUibwdefxPcNBqLSjLOqi10OGdCDkItOQZEA
EQEAAYkBPAQYAQgAJhYhBCRc//eUU4CGo04eWxuWFvPwE4XRBQJcpfuIAhsMBQkD
wmcAAAoJEBuWFvPwE4XRshUH/21+qFp7b2vGjlbQCu9U3sd93F8/wzBEfXpKpqTl
QMuGQ84e5T2rN7TT/boHlFtBDsBP5YjDI9jTbp7KH4ReKnP/TRY1hnafovqVr00I
rp9S0EX0ac0zxk+8LUNmf5MwoBqDgOSsd66oNfJWjQwm09OQpg+qsbZTn/Ho0i1n
b77Rde/bipf+ayzW/+6o2dJMfGFJYHQMoeEFj1QO0TFW2NnGk+0P/TUR7UWzubRQ
gyF7YxXe7uI5AQjJSsgP26LxbHxoiOKmVcZj1dZOjUNNFG9SFY1iR8QGIo/KCVe3
tQVT9B0+RwsPzkRDNM4mHXkbYEPl4eSxtqTuxQ2jaPqYGQU=
=tVgX
-----END PGP PUBLIC KEY BLOCK-----

Remarks

This is just an example ! Do not paste it for further use, as I will change my certificate, very soon !
If, the -a option is absent, the public key will be outputted as a binary file :

>gpg --export "guy038" > guy038GpgPub.gpg

C:\Program Files\gnupg\bin (23:28:24)

>type guy038GpgPub.gpg
♦\Ñ¹ ù▬zË»ôº th ┌┤QÄ5Rä¾R£ó     ╣'=╩[32▬└d↔%L¸¦y¥î╝╩ÚfbëÆ §l▀K4Õµ!f▼ý⌂î♦øoà³Ê»>^òºxáÀå¿~k
üÖD¨$↑ ♦£bìÏ¨=Pè0ñ,♫¶ÿ©
C:\Program Files\gnupg\bin (23:30:47)

More in the next post !

guy038

guy038

Hi, @peterjones, @meta-chuh and All,

At this point I asked myself about the encryption/decryption processes :

The general GPG commands to encrypt /decrypt a file, named <File.ext>, are :

To encrypt : gpg [ -a ] [ -u <Sender User Name> ] -r <Receiver User Name> [ -o <Output File> ] -e <File.ext>
To decrypt : gpg [ -u <Sender User Name> ] -o <Output File> -d <File.ext.gpg> | <File.ext.asc>

In case you’re paranoid and you want to encrypt/decrypt your OWN files :

During encryption :
- As you choose yourself as a recipient, the option -r should be -r <Your User Name> and the -u option is not necessary
- The -o option is optional. In that case, the default output file is ( idem for signing ) :
  - <File.ext.gpg> in case of an encryption of a binary file ( without the -a option )
  - <File.ext.asc> in case of an encryption of a text file ( with the -a option )
During decryption :
- The -u <Sender User Name> option is generally useless as your right private key, in order to decrypt, should be chosen automatically !
- Then, GPG will ask you for the “passphrase” of your according certificate
- Note that the -o option is mandatory, otherwise the binary/text file is dumped to the standard output !

To that purpose, I used the well-known binary file sol.exe ( The Window Solitaire card game ! ) and a simple text file, named Test.txt, containing the line ----- This is a test --------, surrounded with two line-breaks

So :

To encrypt the binary file sol.exe in a file, named encrypted.exe, use the -e command with -o option :

>gpg -r guy038 -o encrypted.exe -e sol.exe

C:\Program Files\gnupg\bin ( 0:37:07)


>type encrypted.exe
à☺♀♥ÇÕ╬øâ-Õ Ö↓tü►m ♦¸O@ö-Q█ÀAa=╔ÄÙ¨C/X¿╩Ðyf♥▄c▬î┬÷┐kÕ
ºÝ¼¢Râ³░╣╝¤µ╚↕äa;û/¹)y╣¶Uhy▀Éº╠±-áÎ\┐┘O&·BV¨8♫♀‗á↑║│c©Ø╬┌uä└= *QÙ4ê?éIÓh;:O├óÿ9õåN¨è`mÙ+╝╔1¥=9Q╝ñ:!±7█┘¶-↨f♣░╣I═←orq*ïÇ┤♀ÐÛ²eì┌

To encrypt the binary file sol.exe in a file, with default name sol.exe.gpg, use the -e command, without -o option :

>gpg -r guy038 -e sol.exe

C:\Program Files\gnupg\bin ( 0:40:20)


>type sol.exe.gpg
à☺♀♥ÇÕ╬øâ-Õ╩☺ mI¡ÔØt↓├¤«☺do     Ô·¶◄£Ï^R╩Õ³©R½░J└pV
C:\Program Files\gnupg\bin ( 0:40:36)

To decrypt the encrypted.exe file and create the decrypted file, named sol_bis.exe, use the -d command and the -o option :

>gpg -u guy038 -o sol_bis.exe -d encrypted.exe
gpg: chiffré avec une clef RSA de 2048 bits, identifiant 80E5CE9B832DE5CA, créée le 2019-04-04
      « xxxxxx <xxxx.xxx@gmail.com> »

C:\Program Files\gnupg\bin ( 0:51:10)


>fc sol.exe sol_bis.exe
Comparaison des fichiers sol.exe et SOL_BIS.EXE
FC : aucune différence trouvée

The DOS fc command ( File Compare ) confirms that no difference found between the original sol.exe and the decrypted file sol_bis.exe

To decrypt the sol.exe.gpg file and create the decrypted file, named sol_ter.exe, use the -d command and the -o option :

>gpg -u guy038 -o sol_ter.exe -d sol.exe.gpg
gpg: chiffré avec une clef RSA de 2048 bits, identifiant 80E5CE9B832DE5CA, créée le 2019-04-04
      « xxxxxx <xxxx.xxx@gmail.com> »

C:\Program Files\gnupg\bin ( 0:56:16)


>fc sol.exe sol_ter.exe
Comparaison des fichiers sol.exe et SOL_TER.EXE
FC : aucune différence trouvée

Again, the DOS fc command confirms that the files sol.exe and sol_ter.exe are strictly identical !

To encrypt the text file test.txt in a file, named encrypted.txt, use the -e command with -a and -o options :

>gpg -a -r guy038 -o encrypted.txt -e test.txt

C:\Program Files\gnupg\bin ( 1:00:00)


>type encrypted.txt
-----BEGIN PGP MESSAGE-----

hQEMA4DlzpuDLeXKAQf/TbCa25cxoNZAm5BKEZ0x9CFgImUx4ch27C94N6MeOcHw
OA2zlMj9XsS7X81qhFv+j10zg14AV03UFvSkmUj361Lav5L+hwW1lfe6p6lOjMP0
VbIolo6vc+/MZS3QhE6wwCGyr69FMFD7PFFjCSbMqGtrysn6x+RwHBtV1drnHYu/
nf+D4/aHuIFFdjSHdqopE5fUWlfMQkCcDrfTUkqTMhFcqwD/uT8CuflRkozjj6OY
6icJm/azcog1kJ5sSHEfCPCSMDUYchMUGC/Kbk38wQc0W9F6ErkfaIKk5hQcQM6V
q6OauTsg2TDD2I2Bq/kWE+SNUEcW4gxmGbX1HE0qgNJYAb0dZ0k0gupCneuEWBRh
bzcwDBFKEwcyONk6oKLgYFPhBXcmImiSGSB9FVPDGJ+nh1Kx7cbAoTLsMbFEDPEx
Gz4i87sacXGb4t8uFB0p208ASVK8vTuruw==
=T62g
-----END PGP MESSAGE-----

To encrypt the text file test.txt in a file, with default name test.txt.asc, use the -e command with the -a option, and without the -o option :

>gpg -a -r guy038 -e test.txt

C:\Program Files\gnupg\bin ( 1:04:55)


>type test.txt.asc
-----BEGIN PGP MESSAGE-----

hQEMA4DlzpuDLeXKAQf+KQ17Vtom6Ln4nsv1S4HbCaKIuIZLkJAuopxtXMGT3ThS
0DESEcj/nNjZFUUuSGmOXalQeOw4/EVjFPeCrLqLiNXoazwZsy0UMqw3BYbvH4Yi
77UenaOYhEzmoUX+9Y5DsHZSkoUpmcTzZmdgDuypiwMg7AQwu7v/NJwK1Vkg4g1n
koXApV0843NjQoC7zJyK76E1PN/TegJwH1IQ2nWJeaAsdF0h9c1Xgidk1wlBOzb1
CkSZZONRYbVS0d06hWBZqep70TdEseVq2Pt1g06dXBJRTN1sVSncotZG35eGVycV
FCTmnsGd12bNONIkB6GXtEYjpRSULPHMxNvLLxyk1tJYAcdjEtx55SzMzq2tb4Vq
4o4DPaBZmV4RyqT36DC6IzHRjEwJbpxZGJBniaN9m0C9V6gGL1gtSVxb1zuO/jAv
/3yDqsJHEAyqOhJYiSbbsOeqkD/8DEztYg==
=aUbu
-----END PGP MESSAGE-----

To decrypt the encrypted.txt file and create the decrypted file, named Test_bis.txt, use the -d command and the -o option :

>gpg -u guy038 -o Test_bis.txt -d encrypted.txt
gpg: chiffré avec une clef RSA de 2048 bits, identifiant 80E5CE9B832DE5CA, créée le 2019-04-04
      « xxxxxx <xxxx.xxx@gmail.com> »

C:\Program Files\gnupg\bin ( 1:40:53)


>fc test.txt Test_bis.txt
Comparaison des fichiers test.txt et TEST_BIS.TXT
FC : aucune différence trouvée

Again, the files test.txt and Test_bis.txt are identical

To decrypt the test.txt.asc file and create the decrypted file, named Test_ter.txt, use the -d command and the -o option :

>gpg -u guy038 -o Test_ter.txt -d test.txt.asc
gpg: chiffré avec une clef RSA de 2048 bits, identifiant 80E5CE9B832DE5CA, créée le 2019-04-04
      « xxxxxx <xxxx.xxx@gmail.com> »

C:\Program Files\gnupg\bin ( 1:57:15)


>fc test.txt Test_ter.txt
Comparaison des fichiers test.txt et TEST_TER.TXT
FC : aucune différence trouvée

Again, the files test.txt and Test_ter.txt are identical

Finally, I tried to test the signing process, but… I’m not so confident about what I’ve found out, below :-((

To sign the sol.exe program, use the -s command and the -o option :

>gpg -u guy.038 -o sol.exe.sig -s sol.exe

C:\Program Files\gnupg\bin (14:58:59)


>type sol.exe.sig
ú☺ý╣♂XTÕ÷8╝å↓`Èü↓§♀‼ì¶O¶ÛAG:↕Y ♀Ä):82â)         8l÷8XÇÏH9mº¼Ë═Äòfv:ı´dùôf7♠¿Ö¿®®§ÜÍãí─←óó¹[Ù¦3Ç&þ£´{×´ ³ ▀¾mX¾ÌÍ{[´zÎÝ]↓ñ♦ÁbðK♥╬À÷»nT³OSð#üÑEàú‗╩‗f
µÁ☼▓·tV×^0ÎF}{Z½╔ 0Eíä¬e§±¥║&ð*·(☻☺▓░P)ÎUgÒÅ♫íÿ§§,´ÓÅY☻Uþê◄ÅõEöÏ↨F¶,îH×fÄXPöø7*(¿wñwîó)☺│úG┌┤¦ß▲äãÓ(ûFÅ,ðZX¨QÝ}ÿ~◄<Æıƒ
F┤G☻§È\┼
îh:╣?t&ý;└'öALx╝gÜF¶ Åö╚└I▀±Nó÷Ù↓o¶ƒWãSÜÚ]►ÝUu#N♦└£Q╣9|♫µW►3ðÌi╠Gn─K ¿↓URZ2↨╝{á¢ö#õ■☺/ß█1ı±F╠´┴ÈýMþ`J§♂╝eªJ}u³‼Ì·§ÿÄ╣^◄ JÀ▒▬ö.Ü[┬Å╩-,ä─dKóiÆ~♀+L6Lƒj
S|¿IËRôf°3←
  Õû#Ä╝AG∟ºç▲q∟

Oddly, to check the signature, with the --verify command, gives :

>gpg --verify sol.exe.sig sol.exe
gpg: la signature n'est pas détachée

i.e. In English, the message gpg: the signature is not detached

But to check and extract the original document, from sol.exe.sig, use the -d command and the -o option :

>gpg -u guy038 -o sol_4th.exe -d sol.exe.sig
gpg: Signature faite le 04/06/19 14:58:15 Paris, Madrid (heure d'ÚtÚ)
gpg:                avec la clef RSA 245CFFF794538086A34E1E5B1B9616F3F01385D1
gpg:                issuer "xxxx.xxx@gmail.com"
gpg: Bonne signature de « xxxxxx <xxxx.xxx@gmail.com> » [ultime]

C:\Program Files\gnupg\bin (15:06:02)


>fc sol.exe sol_4th.exe
Comparaison des fichiers sol.exe et SOL_4TH.EXE
FC : aucune différence trouvée

Once more time, the files sol.exe and sol_4th.exe are identical

Remark :

@peterjones, I don’t understand something, yet :-((

From what it is said, just before the Clearsigned Documents section, of that article, below :

https://www.gnupg.org/gph/en/manual/x135.html

Given a signed document, you can either check the signature or check the signature and recover the original document. To check the signature use the --verify option. To verify the signature and extract the document use the --decrypt option. The signed document to verify and recover is input and the recovered document is output.

In that case, the command gpg -u guy038 -o Test.7z -d npp.7.6.5.bin.7z.sig should verify the signature and recover the original archive, in the Test.7z file, in the same way it did, with the command gpg -u guy038 -o sol_4th.exe -d sol.exe.sig, above !. However, this does not work as the Test.7z file is not created. It just says :

>"c:\Program Files"\gnupg\bin\gpg -u guy038 -o Test.7z -d npp.7.6.5.bin.7z.sig
gpg: les données signées sont supposées être dans « npp.7.6.5.bin.7z »
gpg: Signature faite le 03/30/19 20:40:08 Paris, Madrid
gpg:                avec la clef RSA 14BCE4362749B2B51F8C71226C429F1D8D84F46E
gpg: Bonne signature de « Notepad++ <don.h@free.fr> » [totale]

i.e. in English language :

>"c:\Program Files"\gnupg\bin\gpg -u guy038 -o Test.7z -d npp.7.6.5.bin.7z.sig
gpg: the signed data are supposed to be in « npp.7.6.5.bin.7z »
gpg: Signature made on 03/30/19 20:40:08 Paris, Madrid
gpg:                With key RSA 14BCE4362749B2B51F8C71226C429F1D8D84F46E
gpg: Good signature from « Notepad++ <don.h@free.fr> » [full]

Why ??? May be it’s because that old documentation ( from 1999 ) is really obsolete !

To sign the sol.exe program and create a signature, with default name sol.exe.gpg, use the -s command, without the -o option :

>gpg -u guy.038 -s sol.exe

C:\Program Files\gnupg\bin (15:13:44)

>type sol.exe.gpg
ú☺ý╣♂XTÕ÷8╝å↓`Èü↓§♀‼ì¶O¶ÛAG:↕Y ♀Ä):82â)         8l÷8XÇÏH9mº¼Ë═Äòfv:ı´dùôf7♠¿Ö¿®®§ÜÍãí─←óó¹[Ù¦3Ç&þ£´{×´ ³ ▀¾mX¾ÌÍ{[´zÎÝ]↓ñ♦ÁbðK♥╬À÷»nT³OSð#üÅ¶õÄ╩+╦ø
²╬·3®☼»♦% ¿►$   `‼╚_☻³þO¥cs0|ÊÙø;7)ª|sþ♀[AiDqIÐ╝Æ£♣◄ss▬.,Ô#▲╔ï(▒/î(X↑æ<═∟▒á(7oTPP´H´↑ES☻fGÅ┤i╗├ì┴Q,ì▲YáÁ░‗ú┌¹0²"x$½?←╠k▼d§Ú¼<¢`«ì·÷┤Vô☺`èB      U╦*Ô
}uMáU¶Q♦☻daíR«½╬ã▼↔B1+*XÌ☼└▼│♦¬╬◄§îhÅ♦*¿╣è§↑Ðtr⌂ÞLÏw°◄ÇO(âÿx¤4ìÞ►■▼)☼Éüô¥ÒØDÝÎ3Ì(>»îº4Ë╗ ┌½ÛFÇ9úrs°∟╠» fá¢ËÿÅ▄êù P3¬ñ┤d.x¸@{)G╚²♥^┬Àc¬Òìÿ▀â®┘ø╬┴öÛ↨
x╦♫Lò·Û°'╝§+0↔s¢"■ònc-(]4Àä▼ò[ë╔ûDË$²↑Vÿlÿ>ı0┼[ÿÿý½N7←ª{│IëËô═,g6
C:\Program Files\gnupg\bin (15:20:31)

To check and extract the original document, from sol.exe.gpg, use the -d command and the -o option :

>gpg -u guy038 -o sol_5th.exe -d sol.exe.gpg
gpg: Signature faite le 04/06/19 15:13:19 Paris, Madrid (heure d'ÚtÚ)
gpg:                avec la clef RSA 245CFFF794538086A34E1E5B1B9616F3F01385D1
gpg:                issuer "xxxx.xxx@gmail.com"
gpg: Bonne signature de « xxxxxx <xxxx.xxx@gmail.com> » [ultime]

C:\Program Files\gnupg\bin (15:31:54)

>fc sol.exe sol_5th.exe
Comparaison des fichiers sol.exe et SOL_5TH.EXE
FC : aucune différence trouvée

For the last time, the comparison of the files sol.exe and sol_5th.exe are identical

Best Regards,

guy038

P.S. :

Peter, I would like to re-create my key-pair, with a size of 4096 bytes ( instead of 2048 ) I suppose that the best way is to delete my present key-pair and generate a new key-pair, afterwards, isn’t it ? So, from the manual, I would have to use, first, one of these three commands, below :

--delete-keys name

    Remove key from the public keyring. In batch mode either --yes is required or the key must be specified by fingerprint. This is a safeguard against accidental deletion of multiple keys.

--delete-secret-keys name

    Remove key from the secret keyring. In batch mode the key must be specified by fingerprint. The option --yes can be used to advice gpg-agent not to request a confirmation. This extra pre-caution is done because gpg can’t be sure that the secret key (as controlled by gpg-agent) is only used for the given OpenPGP public key.

--delete-secret-and-public-key name

    Same as --delete-key, but if a secret key exists, it will be removed first. In batch mode the key must be specified by fingerprint. The option --yes can be used to advice gpg-agent not to request a confirmation.

Meta Chuh

@guy038

due to the installation of a new induction cooktop ( not yet finished…! )

off topic: i hope it’s not one of those types, where you have touch controls on top of the cooktop.

nowadays the majority of cooktops are this utterly birdbrained kind, and i really hate this, as i would always move some pan or pot on top of it, causing emergency switch offs of all 4-6 cooking plates. (worse on some models with built in multi timer, doing a complete multi-timer reset after shutdown)

i think those cooktop types are about the only thing, which can cause that i lose my temper completely ! 😂😂😂
especially if i burn my fingers, touching the controls that are now super-heated by a pan, because on almost all models, the touch controls would not even react to a re-switch-on to salvage the dinner attempt, if i touch the controls through a cloth or glove. 😤😤😤

on topic: kudos and thank you so much for digging into this matter so incredibly quick, as well as for sharing the learning in progress while doing so.
i think it helps everyone like me, to get up to date on that, as it is written not assuming any non written or linked prerequisite of knowledge beforehand, and we have a good reference topic for the future. 👍

guy038

Hi, @meta-chuh,

Thanks for your kind words ! But the most incredible thing is that my new induction cooktop is fully installed and functional ;-)) … … Without any burned fingers ! By the way, a simple first try just showed us that cooking is rather quick and requires less energy than our old vitro-ceramic cooktop ;-))

BR

guy038

Meta Chuh

@guy038

now completely off topic: 👨‍🍳🍳
(my apologies to all readers, the following is perhaps triggered by me skipping dinner today)

a simple first try just showed us that cooking is rather quick and requires less energy than our old vitro-ceramic cooktop ;-))

yes, induction is definitively the closest you can get to gas speed.
do you have knobs or front control, or does it have top touch controls on the glass ?

i ask because i’m planning to get a new one with at least one extendable oval or “rectangular” field, but i’m so stubbornly old school, that i refuse anything that doesn’t have a knob i can turn at the front, or any other kind of simulated analog control … i even get a personal crisis if i have to use a microwave oven that has a numeric keyboard, and not just a mechanical time knob which hits a real metal bell when it reaches zero 😉

hmmmmmh … now that i said that, i’m wondering if i.t. was the right choice of job for me 😂

guy038

@meta-chuh,

Hey, guys, we’re talking about serious things but completely off topic :-))

So, @meta-chuh, here is my new induction cooktop : Sauter reference SPI4664B :

It has 3 burners ( 1 of 2200W on the front right corner, 1 of 3100W, on the rear right corner and 1 of 5000W, on all the left part : the oval / rectangular field, that you spoke of ). Unfortunately, NO knob at all and, as you said, only top touch controls on the vitro-ceramic glass. Power is adjustable from 1 to 14, along with the “Boost” position, the strongest and the possibility of a timer, between 1 and 99 minutes.

Initially, I thought that Sauter was a Swiss enterprise, but, from some sources, that seems rather a French mark ?

Now, It’s up to you ! In a couple of weeks, I could tell you if this product mostly satisfy us :-))

BR

guy038

P.S. :

Note that the indicated powers are the maximum values, rarely reached. For instance, with the 3 burners on, at medium position, it consumed about 4800W only !

guy038

Hi, @peterjones,

I’m getting serious again :-))

In a post, above, I asked you about the fact that the GPG command gpg -u guy038 -o Test.7z -d npp.7.6.5.bin.7z.sig does not create a Test.7z archive, identical to the npp.7.6.5.bin.7z archive

Whereas the previous GPG command gpg -u guy038 -o sol_4th.exe -d sol.exe.sig works nice and create a decrypted executable, identical to the original Sol.exe program

I think that’s this behavior is quite logic :

Firstly, I used my private part of my own certificate in order to sign the sol.exe program and create the signature sol.exe.sig

Secondly, I used my private key, again, to decrypt the sol.exe.sig signature and get an identical executable file

Now, when Don HO created the npp.7.6.5.bin.7z.sig signature, and all the others, he used his own private key. So, now, I cannot decrypt the npp.7.6.5.bin.7z.sig signature, because I would use my private key and not Don’s private one !

In other words, Don must be the ONLY person which could be able to recover the original .7z archive in the Test.7z file , from the npp.7.6.5.bin.7z.sig signature, with the command :

gpg -u Notepad++ -o Test.7z -d npp.7.6.5.bin.7z.sig, because he would use the private key of his certificate ! Peter, am I right about it ?

BR

guy038

PeterJones

Sorry about the delay. I had a busy family weekend this weekend.

@guy038 said:

I would like to re-create my key-pair, with a size of 4096 bytes ( instead of 2048 ) I suppose that the best way is to delete my present key-pair and generate a new key-pair, afterwards, isn’t it ?

Yes.

In other words, Don must be the ONLY person which could be able to recover the original .7z archive in the Test.7z file , from the npp.7.6.5.bin.7z.sig signature, with the command :

gpg -u Notepad++ -o Test.7z -d npp.7.6.5.bin.7z.sig, because he would use the private key of his certificate ! Peter, am I right about it ?

Not quite. A signature is a one-way hash: you can take a file, and easily create the signature of the file; however, it is impossible to go the reverse direction. For example, if I were to sign my copy of the gpg.exe, I would see:

C:\Program Files (x86)\GnuPG\bin>gpg --detach gpg.exe

C:\Program Files (x86)\GnuPG\bin>ls -latr gpg.exe*
-rwxrwxrwx  1 Peter.Jones 0 1122816 2018-11-12 03:52 gpg.exe
-rw-rw-rw-  1 Peter.Jones 0     566 2019-04-08 06:05 gpg.exe.sig

There aren’t any compression algorithms that I know of that are good enough to encrypt-and-compress a 1.1MB gpg.exe into 566 bytes of gpg.exe.sig.

All you can do with the signature for a file is (1) verify that the file matches the signature, and (2) that the person who claimed to sign it is the one who signed it (based on whether the public key matches what’s in your keyring).

I think one of the confusions is that there are three different kinds of “signing” for files:

Commands:

 -s, --sign                  make a signature
     --clear-sign            make a clear text signature
 -b, --detach-sign           make a detached signature

The --sign (-s) creates an output file that includes the original file, plus your signature of that file. For example, in signing the standard-input as the input file:

C:\Program Files (x86)\GnuPG\bin>gpg -a --sign
hello world
^Z
-----BEGIN PGP MESSAGE-----

owEBWgKl/ZANAwAIAa7S8NjBGc6nAcsTYgBcq0qBaGVsbG8gd29ybGQNCokCMwQA
...
-----END PGP MESSAGE-----

The --clear-sign will do the same, but it will include the message in plain text, rather than encoded in the base-64 message, like:

C:\Program Files (x86)\GnuPG\bin>gpg -a --clear-sign
hello world
^Z
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

hello world
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEUi8A41Z69RBzWhJIrtLw2MEZzqcFAlyrSs0ACgkQrtLw2MEZ
...
-----END PGP SIGNATURE-----

Finally, --detach-sign (-b) creates a file that has only the signature, without the original file embedded. This is as my example above, with the signature for gpg.exe being only 566 bytes

(in the examples above, I used the -a to “ascii-armor” the results, so the signatures were printable on the screen)

When a software distributor has available for download the original file blah.zip, alongside another file called blah.zip.sig, the .sig file is usually the detached signature created by --detach-sign, so does not contain the original file as well.

If you want a copy of the file that has the signature embedded in the archive, you would use just the --sign argument: without the -a ascii-armoring, it will go in blah.zip.gpg; with the -a ascii-armoring, it would go in blah.zip.asc.

Maybe this series of examples will make more sense:

----

 Directory of C:\Users\PETER~1.JON\AppData\Local\Temp\gpg-example

04/08/2019  06:37 AM    <DIR>          .
04/08/2019  06:37 AM    <DIR>          ..
04/08/2019  06:36 AM            52,087 Temp.zip
               1 File(s)         52,087 bytes
               2 Dir(s)  110,105,284,608 bytes free

C:\Users\PETER~1.JON\AppData\Local\Temp\gpg-example>gpg --sign Temp.zip

C:\Users\PETER~1.JON\AppData\Local\Temp\gpg-example>dir
 Volume in drive C is Windows

 Directory of C:\Users\PETER~1.JON\AppData\Local\Temp\gpg-example

04/08/2019  06:37 AM    <DIR>          .
04/08/2019  06:37 AM    <DIR>          ..
04/08/2019  06:36 AM            52,087 Temp.zip
04/08/2019  06:37 AM            49,525 Temp.zip.gpg
               2 File(s)        101,612 bytes
               2 Dir(s)  110,105,165,824 bytes free

C:\Users\PETER~1.JON\AppData\Local\Temp\gpg-example>gpg -o NewTemp.zip --decrypt Temp.zip.gpg
gpg: Signature made 04/08/19 06:37:27 Pacific Daylight Time
gpg:                using RSA key ZZZ___WORK_SIG___ZZZ
gpg: Good signature from "Peter C. Jones <peter.jones@__work__>" [ultimate]
gpg:                 aka "Peter C. Jones <peter.jones@__work__>" [ultimate]

C:\Users\PETER~1.JON\AppData\Local\Temp\gpg-example>dir
 Volume in drive C is Windows

 Directory of C:\Users\PETER~1.JON\AppData\Local\Temp\gpg-example

04/08/2019  06:37 AM    <DIR>          .
04/08/2019  06:37 AM    <DIR>          ..
04/08/2019  06:37 AM            52,087 NewTemp.zip
04/08/2019  06:36 AM            52,087 Temp.zip
04/08/2019  06:37 AM            49,525 Temp.zip.gpg
               3 File(s)        153,699 bytes
               2 Dir(s)  110,105,092,096 bytes free

C:\Users\PETER~1.JON\AppData\Local\Temp\gpg-example>fc Temp.zip NewTemp.zip
Comparing files Temp.zip and NEWTEMP.ZIP
FC: no differences encountered


C:\Users\PETER~1.JON\AppData\Local\Temp\gpg-example>del Temp.zip.gpg NewTemp.zip

C:\Users\PETER~1.JON\AppData\Local\Temp\gpg-example>gpg --detach-sign Temp.zip

C:\Users\PETER~1.JON\AppData\Local\Temp\gpg-example>dir
 Volume in drive C is Windows

 Directory of C:\Users\PETER~1.JON\AppData\Local\Temp\gpg-example

04/08/2019  06:39 AM    <DIR>          .
04/08/2019  06:39 AM    <DIR>          ..
04/08/2019  06:36 AM            52,087 Temp.zip
04/08/2019  06:39 AM               566 Temp.zip.sig
               2 File(s)         52,653 bytes
               2 Dir(s)  110,105,157,632 bytes free

C:\Users\PETER~1.JON\AppData\Local\Temp\gpg-example>gpg --verify Temp.zip.sig
gpg: assuming signed data in 'Temp.zip'
gpg: Signature made 04/08/19 06:39:03 Pacific Daylight Time
gpg:                using RSA key ZZZ___WORK_SIG___ZZZ
gpg: Good signature from "Peter C. Jones <peter.jones@__work__>" [ultimate]
gpg:                 aka "Peter C. Jones <peter.jones@__work__>" [ultimate]

C:\Users\PETER~1.JON\AppData\Local\Temp\gpg-example>dir
 Volume in drive C is Windows

 Directory of C:\Users\PETER~1.JON\AppData\Local\Temp\gpg-example

04/08/2019  06:39 AM    <DIR>          .
04/08/2019  06:39 AM    <DIR>          ..
04/08/2019  06:36 AM            52,087 Temp.zip
04/08/2019  06:39 AM               566 Temp.zip.sig
               2 File(s)         52,653 bytes
               2 Dir(s)  110,105,157,632 bytes free

C:\Users\PETER~1.JON\AppData\Local\Temp\gpg-example>gpg -o OutTemp.zip --decrypt Temp.zip.sig
gpg: assuming signed data in 'Temp.zip'
gpg: Signature made 04/08/19 06:39:03 Pacific Daylight Time
gpg:                using RSA key ZZZ___WORK_SIG___ZZZ
gpg: Good signature from "Peter C. Jones <peter.jones@__work__>" [ultimate]
gpg:                 aka "Peter C. Jones <peter.jones@__work__>" [ultimate]

C:\Users\PETER~1.JON\AppData\Local\Temp\gpg-example>dir
 Volume in drive C is Windows

 Directory of C:\Users\PETER~1.JON\AppData\Local\Temp\gpg-example

04/08/2019  06:39 AM    <DIR>          .
04/08/2019  06:39 AM    <DIR>          ..
04/08/2019  06:36 AM            52,087 Temp.zip
04/08/2019  06:39 AM               566 Temp.zip.sig
               2 File(s)         52,653 bytes
               2 Dir(s)  110,105,100,288 bytes free