PGP Signature Operations
PGP/GPG signature operations for files, emails, and git commits.
Generate GPG Key
1# Interactive key generation
2gpg --full-generate-key
3
4# Quick generation (Ed25519)
5gpg --quick-generate-key "Your Name <email@example.com>" ed25519 sign,cert 2y
6
7# Batch generation
8cat > gpg-batch <<EOF
9%no-protection
10Key-Type: RSA
11Key-Length: 4096
12Subkey-Type: RSA
13Subkey-Length: 4096
14Name-Real: Your Name
15Name-Email: email@example.com
16Expire-Date: 2y
17%commit
18EOF
19
20gpg --batch --generate-key gpg-batch
List Keys
1# List public keys
2gpg --list-keys
3gpg -k
4
5# List secret keys
6gpg --list-secret-keys
7gpg -K
8
9# List with fingerprints
10gpg --fingerprint
11
12# List specific key
13gpg --list-keys email@example.com
14
15# Show key details
16gpg --edit-key email@example.com
Export Keys
1# Export public key (ASCII armor)
2gpg --export --armor email@example.com > public.asc
3
4# Export public key (binary)
5gpg --export email@example.com > public.gpg
6
7# Export secret key (ASCII armor)
8gpg --export-secret-keys --armor email@example.com > private.asc
9
10# Export secret key (binary)
11gpg --export-secret-keys email@example.com > private.gpg
12
13# Export to keyserver
14gpg --send-keys KEY_ID
15gpg --keyserver keyserver.ubuntu.com --send-keys KEY_ID
Import Keys
1# Import public key
2gpg --import public.asc
3
4# Import secret key
5gpg --import private.asc
6
7# Import from keyserver
8gpg --recv-keys KEY_ID
9gpg --keyserver keyserver.ubuntu.com --recv-keys KEY_ID
10
11# Search keyserver
12gpg --search-keys email@example.com
Sign Files
1# Detached signature (separate .sig file)
2gpg --detach-sign file.txt
3# Creates file.txt.sig
4
5# Detached signature (ASCII armor)
6gpg --detach-sign --armor file.txt
7# Creates file.txt.asc
8
9# Clear-sign (message + signature in one file)
10gpg --clear-sign file.txt
11# Creates file.txt.asc
12
13# Sign and encrypt
14gpg --sign --encrypt --recipient recipient@example.com file.txt
15# Creates file.txt.gpg
16
17# Sign with specific key
18gpg --local-user email@example.com --detach-sign file.txt
Verify Signatures
1# Verify detached signature
2gpg --verify file.txt.sig file.txt
3gpg --verify file.txt.asc file.txt
4
5# Verify clear-signed file
6gpg --verify file.txt.asc
7
8# Verify and extract signed file
9gpg --decrypt file.txt.gpg > file.txt
10
11# Verify with specific keyring
12gpg --keyring ./keyring.gpg --verify file.txt.sig file.txt
Sign Text/Messages
1# Sign text from stdin
2echo "Hello, World!" | gpg --clear-sign
3
4# Sign and output to file
5echo "Hello, World!" | gpg --clear-sign > signed.asc
6
7# Verify signed text
8gpg --verify signed.asc
9
10# Sign with default key
11echo "Hello, World!" | gpg --sign | gpg --decrypt
Trust Management
1# Trust a key
2gpg --edit-key email@example.com
3# In GPG prompt:
4# trust
5# 5 (ultimate trust)
6# quit
7
8# Sign someone's key (web of trust)
9gpg --sign-key email@example.com
10
11# Revoke key signature
12gpg --edit-key email@example.com
13# revsig
14
15# Check key trust
16gpg --check-trustdb
Key Management
1# Delete public key
2gpg --delete-keys email@example.com
3
4# Delete secret key
5gpg --delete-secret-keys email@example.com
6
7# Delete both
8gpg --delete-secret-and-public-keys email@example.com
9
10# Revoke key
11gpg --gen-revoke email@example.com > revoke.asc
12gpg --import revoke.asc
13gpg --send-keys KEY_ID
14
15# Change passphrase
16gpg --edit-key email@example.com
17# passwd
18# quit
19
20# Add subkey
21gpg --edit-key email@example.com
22# addkey
23# quit
Git Integration
Encrypt and Sign
1# Encrypt and sign for recipient
2gpg --encrypt --sign --recipient recipient@example.com file.txt
3
4# Encrypt and sign (ASCII armor)
5gpg --encrypt --sign --armor --recipient recipient@example.com file.txt
6
7# Decrypt and verify
8gpg --decrypt file.txt.gpg > file.txt
Batch Operations
1# Sign multiple files
2for file in *.txt; do
3 gpg --detach-sign --armor "$file"
4done
5
6# Verify multiple files
7for file in *.txt; do
8 echo "Verifying $file"
9 gpg --verify "$file.asc" "$file"
10done
Python: GPG Operations
1import gnupg
2
3# Initialize GPG
4gpg = gnupg.GPG()
5
6# List keys
7keys = gpg.list_keys()
8for key in keys:
9 print(f"{key['keyid']}: {key['uids']}")
10
11# Import key
12with open('public.asc', 'r') as f:
13 import_result = gpg.import_keys(f.read())
14 print(f"Imported: {import_result.count}")
15
16# Sign data
17signed_data = gpg.sign("Hello, World!", keyid='YOUR_KEY_ID')
18print(signed_data)
19
20# Verify signature
21verified = gpg.verify(str(signed_data))
22print(f"Valid: {verified.valid}")
23print(f"Fingerprint: {verified.fingerprint}")
24
25# Encrypt and sign
26encrypted = gpg.encrypt(
27 "Hello, World!",
28 recipients=['recipient@example.com'],
29 sign='sender@example.com'
30)
31print(encrypted)
32
33# Decrypt and verify
34decrypted = gpg.decrypt(str(encrypted))
35print(f"Decrypted: {decrypted.data.decode()}")
36print(f"Valid signature: {decrypted.valid}")
Configuration
1# GPG config file
2nano ~/.gnupg/gpg.conf
3
4# Recommended settings:
5# Use SHA-512 for hashing
6personal-digest-preferences SHA512 SHA384 SHA256
7cert-digest-algo SHA512
8
9# Use AES-256 for encryption
10personal-cipher-preferences AES256 AES192 AES
11
12# Disable weak algorithms
13disable-cipher-algo 3DES
14weak-digest SHA1
15
16# Show long key IDs
17keyid-format 0xlong
18
19# Show fingerprints
20with-fingerprint
21
22# Use key server
23keyserver hkps://keys.openpgp.org
Keyserver Operations
1# Upload key
2gpg --send-keys KEY_ID
3
4# Upload to specific keyserver
5gpg --keyserver keyserver.ubuntu.com --send-keys KEY_ID
6
7# Receive key
8gpg --recv-keys KEY_ID
9
10# Refresh keys from keyserver
11gpg --refresh-keys
12
13# Search for key
14gpg --search-keys email@example.com
Troubleshooting
1# Fix "No public key" error
2gpg --recv-keys KEY_ID
3
4# Fix "gpg: signing failed: Inappropriate ioctl for device"
5export GPG_TTY=$(tty)
6echo 'export GPG_TTY=$(tty)' >> ~/.bashrc
7
8# Fix permission issues
9chmod 700 ~/.gnupg
10chmod 600 ~/.gnupg/*
11
12# Rebuild trust database
13gpg --check-trustdb
14gpg --update-trustdb
15
16# Test GPG
17echo "test" | gpg --clear-sign
Best Practices
Key Generation:
- Use Ed25519 or RSA 4096-bit
- Set expiration date (2 years recommended)
- Use strong passphrase
- Create revocation certificate
Key Management:
- Backup private keys securely
- Keep revocation certificate safe
- Rotate keys periodically
- Use subkeys for signing
Signing:
- Always use detached signatures for files
- Use clear-sign for text messages
- Verify signatures before trusting
Trust:
- Only trust keys you've verified
- Use web of trust carefully
- Verify fingerprints in person
Related Snippets
- Asymmetric Encryption & Key Exchange
Asymmetric (public-key) cryptography with mathematical foundations, including … - Cryptographic Hash Functions
Cryptographic hash functions with mathematical properties and practical … - Digital Signatures
Digital signature algorithms with mathematical foundations. Mathematical … - Encrypt/Decrypt with Key Pairs
Encrypt and decrypt data using public/private key pairs and derive symmetric … - Generate Public/Private Key Pairs
Generate public/private key pairs on Linux for various cryptographic purposes. … - Hash and Sign Text with Key Pairs
Hash and digitally sign text using public/private key pairs. Hash Text (OpenSSL) … - Homomorphic Encryption Schemes
Homomorphic encryption allows computation on encrypted data without decryption, … - Key Derivation Functions
Key Derivation Functions (KDFs) for password hashing and key derivation. … - Key Sharding (Secret Sharing)
Key sharding splits a secret into multiple shares where a threshold of shares is … - Multi-Signature (Multisig) Schemes
Multi-signature schemes require multiple parties to sign a transaction or … - Setup PGP with Git (Auto-sign Commits)
Setup GPG/PGP to automatically sign Git commits and tags. Generate GPG Key for … - Symmetric Encryption
Symmetric encryption algorithms with mathematical foundations and practical … - Threshold Signatures
Threshold signatures enable a group to sign messages without ever reconstructing …