As part of the decryption process, GnuPG both authenticates the sender and checks the integrity of the encrypted data. This means that the recipient can be confident that:
- The message or data actually comes from the person who purports to have sent it.
- The message or data has not been tampered with after encryption.
Obviously, validating the source and integrity of data is an essential component of the security provided by encryption; but sometimes this sort of validation is desirable without the necessity of encryption (so called, plaintext information). For instance, imagine that you and your friends are working on some code - a bug fix, perhaps - it's easy to understand why recipients would be keen to ensure that the data has not been corrupted or compromised during transimission.
Fortunately, GnuPG makes it is possible to realize these benefits using a technique called digital signing. The signing process creates a new file (the signature) in the same directory as the original. It is essentially an encrypted version of the original data's message digest also known as a hash and this digest is, for all intents and purposes, unique to the data that was encrypted.
When the originator sends the plaintext file to the recipient, she will also send the signature. When the recipient decrypts the signature the hash is compared to the plaintext hash to ensure that the data has not changed. In Ubuntu, creating a digital signature is simple once the Decrypt File package has been installed:
- In Nautilus, right-click the file that you want to sign and choose the Sign option from the pop-up menu.
- In the Choose Signer dialog box, select the key (certificate) that you want to use to sign the file
- Enter your passphrase in the Pinentry dialog box. An electronic signature (a file with a .sig file extension) is saved in the same directory as the original file.
- Double-click the .sig file to view the signature validation notification
- Send both the original file (encrypted or not) and the signature file to the intended recipient
Sources & References: