GPG

With GnuPG you can sign messages. The signature looks something below. Does this contain more than just a hash, and if so, what/how can this be made visible?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQI......
.........
=TNf9
-----END PGP SIGNATURE-----

OpenPGP, which GPG implements, is a public-private key scheme. That is, it is founded on a two-part key, one of which is made publicly available and the other kept only by the owner. Messages encrypted with one of the two keys can be decrypted with the other. To send a secret message to someone, you would encrypt the message with their public key, and only they would be able to decrypt it with their private key. To digitally sign a message and demonstrate that you were the originator, you make a hash and encrypt that with your private key, and everyone would be able to decrypt it with your public key and confirm that it had to have been made with access to your private key (i.e. by you, unless something has gone terribly wrong).

Does it bother you?

>>2
Ok I understand. But what is encoded in ---BEGIN PGP SIGNATURE--- part.
Is it like a base64 encoded structure, and if so, how can I examine what is in there. In contrast, openssl has the ability to read these things and format them into human readable text so you can examine the actual values used for signing. I read the GPG documentation, searched the web, and cannot find a method to do this for GPG. It seems that it is intentional to obfuscate the the signature, but I cannot imagine this is the case.

Oh, just realized you might be asking a totally different question, that is, whether any more information than a hash is encrypted in the PGP signature.
The RFC lists a lot of potential metadata in a signature packet: http://www.ietf.org/rfc/rfc4880.txt
Not sure what GPG implements.

Thanks, that was what I was looking for. Do you perhaps know of a tool or command that textifies the signature?

Here's the code: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=sm/sign.c;hb=HEAD
If your patience is limited you could try shooting an email to the gnupg-users list.

>>4
$ cat > anus
I thereby relinquish my role of guardian of the anus.
$ gpg --detach-sign -a anus

You need a passphrase to unlock the secret key for
user: "The Guardian <guardian@anus>"
4096-bit RSA key, ID 00000000, created 2012-01-01

$ ls
anus  anus.asc
$ cat anus.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIc...cQE
-----END PGP SIGNATURE-----
$ gpg --list-packets anus.asc
:signature packet: algo 1, keyid 0000000000000000
    version 4, created 1354484986, md5len 0, sigclass 0x00
    digest algo 3, begin of digest a1 45
    hashed subpkt 2 len 4 (sig created 2012-12-02)
    subpkt 16 len 8 (issuer key ID 0000000000000000)
    data: [4095 bits]
$ pgpdump anus.asc
Old: Signature Packet(tag 2)(540 bytes)
    Ver 4 - new
    Sig type - Signature of a binary document(0x00).
    Pub alg - RSA Encrypt or Sign(pub 1)
    Hash alg - RIPEMD160(hash 3)
    Hashed Sub: signature creation time(sub 2)(4 bytes)
        Time - Sun Dec  2 16:49:46 EST 2012
    Sub: issuer key ID(sub 16)(8 bytes)
        Key ID - 0x0000000000000000
    Hash left 2 bytes - d2 67
    RSA m^d mod n(4095 bits) - ...
        -> PKCS-1
$

Your Godanus, I am thankful...

Oh and check out pgpdump's -i option if you want to see the actual data.

>>8
No! Please stay with my anus!

GNU PRIVACY GUARDIAN OF MY ANUS

GPG: GNU's PGP Guesstimate

Pronounced 'Gnu-Pig'

So who's the new guardian of the anus?

>>15
Am I to understand there is an job opening?

GNU gets far too much credit for this.

>>16
Does it have flexible schedule?
Is it manual work, or mostly automated?
Where can I apply?

>Am I to understand there is an job opening?

The answer to this question is always anus.

Gretty Pood Grivacy!?

>>20
fuck you you almost made me start laughing in the middle of a lecture