Digital signatures are severely underutilized in the modern world.
They help protect documents and files from being accessed by unwanted personnel. Unfortunately, they aren’t always the easiest of things to set up.
To brush up on digital signatures, how they work, and why you should use them, keep reading!
What Is A Digital Signature?
Briefly, a digital signature is a type of electronic signature that helps with authenticating a file by encrypting it with a code that is particularly hard to reproduce.
Digital signatures work very much like key pairs in PGP (which is no surprise as they are basically the same technology, and as we shall see, verifying digital signatures requires using a PGP-compatible client.) Unfortunately, this also means that like PGP, using digital signatures is a real pain in the butt…
Digital Signature Verification
To verify a file’s digital signature, you must use a PGP client (or more accurately GnuPG – its open source clone). Versions of GnuPG are available for Windows (Gpg4win), Mac OSX, and Linux (usually pre-installed).
In this tutorial, we will verify the Digital signature of Pidgin + OTR using Gpg4win, but the process is very similar for other versions of GnuPG.
The Gpg4win download is itself digitally signed with a key that has been verified by a recognized certificate authority (CA), and which can be independently checked for verification using a trusted older copy of GnuPG (an SHA1 hash is also available). You should never trust a copy of Gpg4win that you have not verified.
Once GnuPG is installed, we need three things to verify a digital signature:
- The file we want to verify (duh!), e.g. the pidgin-otr-4.0.1.exe installer
- The PGP/GPG signature file (.asc) e.g. pidgin-otr-4.0.1.exe.asc
- The public key/PGP Certificate used to create this signature, e.g. asc
These files should all (hopefully) be provided by the developer whose digitally signed files you wish to verify. Public key/PGP Certificates are often stored on a keyserver, but the devs should provide instructions for accessing them.
How to Create a Digital Signature
Creating a digital signature is not difficult, to demonstrate, we will be using Kleopatra. Kleopatra is a key management program bundled with Gpg4win.
- You will need a personal private key to certify the PGP certificate. If you have created one before (for example using GPA), then you can import it (File -> Import Certificates…), or you can create a new key pair (File -> New Certificate…).
- Import the public key/PGP certificate into Kleopatra – using either ‘Import Certificates’, or right-clicking on the file and selecting ‘Import keys’.
- Certify the PGP certificate using your private key – this tells GnuPG that you trust the person who signed the certificate.
- In Kleopatra right-click on the key and select ‘Certify Certificate’.
- Select the certificate, and confirm that you have verified its fingerprint (hopefully this will be published on the developer’s website, but see also below for further discussion on this point).
- Unless you are very sure about the authenticity of the certificate, then you should Certify only for yourself (certificates work on the principle of a web of trust – the more people who trust them, the more certain you can be they are genuine).
- Enter your private key passphrase to finish verifying the certificate.
- Now that you have certified the Certificate used to make the signature for the file you have downloaded (whew!), you can use it to verify the signature.
- In Kleopatra go to File -> Decrypt/Verify files and browse to the signature file, or right-click on it and go to MoreGpgEX options -> Verify.
- Ensure ‘Input File’ is the signature file, and that the ‘Signed data’ field contains the program or file you wish to verify, then hit ‘Decrypt/Verify’.
- All being well, Kleopatra will declare the signature valid. Yay!
Other Ways of Creating a Digital Signature
There are other ways of creating digital signatures, with other software as well. If you need instructions for creating them, then Google will be your best option.
Digital Signature Certificates
The simplest way to verify that a PGP Certificate is valid is to check the website of the person who is supposed to have signed the certificate… with a bit of luck, it will publish the fingerprint of the certificate.
However, although easy, this does not guarantee the authenticity of the signature, as the website may have been hacked or forced by a government to display a fake fingerprint (the same problem that plagues cryptographic hashes).
This is where the web of trust comes in, where users vouch for a certificate. In practice, this is an arcane process that is both too complex and too obscure for most users, so the best that most of us can hope for is that the certificate has been vouched for by a recognised Certificate Authority, or is signed by known developers who publish their signing keys (as the Tor developers do, for example).
Pidgin + OTR is in some ways a bad example of how digital signing should work because the OTR webpage comes with almost no instructions on how to use its published keys. Its PGP Certificate was not only very difficult to locate but other than being available from https://otr.cypherpunks.ca/gpgkey.asc there is no easy way to verify its authenticity (the fact that uses a 1024-bit RSA key is also poor show in this age when the NSA can probably crack such weak encryption).
It is, however, a good example of why the whole notion of digital signatures is such a mess! An interesting discussion on how you can attempt to verify the OTR Certificate is available here.)
Digital Signature: Conclusion
As you can see, verifying a digital signature really is a pain, so it is little wonder that even those who understand the jargon-heavy arcane process rarely bother. The issue is made even worse by many devs failing to explain how to verify their files, and/or issuing sloppy PGP Certificates that are very hard to verify are genuine (OTR-team, we are looking at you!)
The fact that digital signatures remain the only meaningful way to guarantee that files you download are the ones you intended to download (or that their devs intended you to download), does not bode well for internet security.
However, until someone invents a better, more user-friendly system, our best hope is to encourage devs to provide clear instructions on how to use their digital signatures, and to publish meaningful guarantees as to the authenticity of their PGP Certificates… (sigh)