If you haven’t read my post on gpg, please do that as it highlights the basics of gpg. Having said that, we can sign a file using gpg in different ways. Let’s explore that.
There are basically two ways to sign a file – attached and detached way. In attached signature, single file in generated which holds both the signature and the original file, while-as in detached signature, the signature is a separate file.
Attached signature
The basic version of signing a file is using the sign flag. This basic version is an example of attached signaturegpg --sign myfile.csv
# this results in a new signed file myfile.csv.gpg
The above variation of signing results in a single file holding both the original file and the signaturegpg --output signed-file.gpg --sign myfile.csv
# this results in a new signed file named signed-file.gpg
This variation is same as the first one, the only difference is the output flag which tells gpg to redirect the output to the file signed-file.gpg
How to verify an attached signed file?gpg --verify signed-file.gpg
clear-sign
clear-sign is a variation of attached signature. What clear-sign does is that it wraps the signature around the content without modifying it – useful in signing emails/ documents where the document should remain readable as-is, without involving gpggpg --clear-sign my-file.csv
or gpg --output my-file.csv.asc --clear-sign my-file.csv
#outputs a single file my-file.csv.asc. Note that gpg resulted in a file extension of .asc because clear-sign doesn’t use the usual gppg binary format.
A clear-sign file can be verified using the same verify option of gpg
Detached signature
gpg --detach-sign my-file.csv
or gpg --output my-file.csv.asc --detach-sign my-file.csv
This results in only the signature file. That means, to verify the signature, you will need both the files i.e. the signature and the original file.gpg --verify my-file.csv.asc my-file.csv