Digital signature

Translations:
Français

In a nutshell: I sometimes sign documents. Here is  my OpenPGP certificate, in order to authenticate them.

Documents I send may be digitally signed, so that their authenticity can be proved, and to protect them against alteration.

  • Method used is OpenPGP.
  • To verify Pour authenticity with appropriate software, you may:
    • download my certificate, or
    • simply check the displayed fingerprint is E0D94AFB80BF89E1F9377FE125158520D38DC09D.
  • Generally, signature file is alongside the document, with a ".sig" extension (for instance: "document.pdf.sig").
  • Written message I send looks like : "Each document is certified to be authentic, with my digital signature (check it at sukender.net/pgp)."

For people not familiar with OpenPGP, here is how to check.

Step-by-step verification with GnuPG 2

If you have GnuPG 2 (Linux, Cygwin), you can import my certificate, and then verify using command line. For instance:

gpg2 --import Benoit_NEIL_public_asc.txt
gpg2 --verify document.pdf.sig

Please note you'll be warned about the fact the "key is not certified". This only means it is up to you to assert this is my certificate, in particular by checking its fingerprint. Said otherwise, the proof of authenticity requires you to trust the certificate from this Web page, or its fingerprint. You may remove this warning by adding my certificate to your trusted list (see gpg2 documentation).

You'll get a "Good signature" to prove the authenticity. Typically:

gpg: assuming signed data in "document.pdf"
gpg: Signature made Thu, Nov  5, 2020 06:54:10 CET
gpg:                using RSA key E0D94AFB80BF89E1F9377FE125158520D38DC09D
gpg: Good signature from "Benoit NEIL <neilb@free.fr>" [inconnu]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: E0D9 4AFB 80BF 89E1 F937  7FE1 2515 8520 D38D C09D

Verification with GPG4Win (Windows)

Similarly, with GPG4Win (Windows), you can run Kleopatra software and perform:

  1. An import of my certificate, then
  2. "Decipher / verify" the signature file.