While other software packages supporting the use of private keys and PGP signing can be used to the same end, this article describes software available to all and relatively easy to use. For Linux, this article suggests the GnuPG software package, with kGPG as it's graphical user interface. For Windows this article suggests the GPG4Win package, which includes a graphical user interface (see references for links to software packages). There are no special instructions for Macs, however it is reasonable to assume the instructions for Linux will apply. Setup and usage of these programs is quite simple, however it is recommended that you read the instructions anyway due to security considerations you should be aware of.
This article does not cover the use of smartcards to store private keys or the use of government-supplied private keys, which may also be used.
PGP signatures are commonly used to sign email, so there are always tools that come with it that integrate into email clients. Using this is a good idea as it gives people a way to verify what key is used by what person.
The installation of the packages depends on the distribution of Linux in use, however most users should be able to use a package manager to install both packages in a straightforward fashion.
After the software installation, you should generate your private key. If you already have a private key, you should not create a new key, but rather import the previous one.
To create a new key (please note that the exact names on the menus may differ depending on your locale):
Run kGPG
If a window does not appear, left-click the keylock icon in your menu
Go to the “Keys” menu
Select the “Generate key pair” option (Ctrl + N)
Enter your real name and an email account you are reachable on and typically use for official communication. This information will help identify you as the owner of the signature.
This article recommends a key size of “1024” and selecting the “DSA & ElGamael” algorithm. Then click OK.
Enter the password you are going to use to use this private key. You will need to enter this password to sign anything with this key. Then click OK.
This article recommends that you save a revocation certificate or print it out, and save it someplace safe. This can be used to revoke your certificate in case of theft. Keep in mind that anyone that can use your revocation certificate can invalidate all your signatures.
It is recommended you make a backup of your private key:
Right click your key in the list
Select the “Export secret key” option
Save the file someplace SAFE. Remember, whoever gets this key and your password will be able to sign documents in your name until you revoke it. Also remember that if you loose your private key, you will never be able to sign any more documents with the same key, an identical key cannot be generated later.
Your public key will be required to verify your signature. You may export the public key as a file and give it to the people who will have to verify it, but this article recommends the more practical alternative of uploading the public key to a public key server:
Right click your key in the list
Select the “Export public keys (Ctrl + C)” option
Select the “Default key server” option
Click OK
By this point, your private key is ready and you can sign documents. There are two basic ways you can sign content, one is to sign text, the other is to sign files. When signing, remember that the content has to be identical in order for the signature to remain valid, any changes at all, including formatting changes will invalidate the signature. Signing text as opposed to files is recommended because it includes the signature within the text and not a separate file instead.
To sign a block of text or verify it's signature:
Right click the keylock icon in your menu
Select the “Open editor” option
Type in or copy in your text
Click the “Sign / Verify” button
If you wanted to verify a key the result will appear in a message box (when verifying a signature always take note of the key fingerprint, which should be identical for all signatures by the same person), otherwise see step 6
Select your key
Enter your key password
Copy out the result
To sign or verify the signature of a file:
Right click the keylock icon in your menu
Select the “Open editor” option
Click the “Signature” menu
Click the “Create signature...” or “Verify signature...” option accordingly
Select file to sign or check
If you wanted to create a signature you will have to select the key to use. If you wanted to verify the signature, the result appears in a message box (when verifying a signature always take note of the key fingerprint, which should be identical for all signatures by the same person).
Download the installation program (link specified in references) and run it. During setup, choose defaults, but you may choose not to install GPGol (the Outlook plugin), manuals or such, this is okay.
After the software installation, you should generate your private key. If you already have a private key, you should not create a new key, but rather import the previous one.
To create a new key:
Start → All Programs → GnuPG For Windows → GPA
When presented with the dialog, select “Generate Key Now”.
Enter your real name. This information will help identify you as the owner of the signature. Then click “Forward”.
Enter the email address you are using for official communication. This information also helps identify you as the owner of the signature. Then click “Forward”.
Enter the password you are going to use to use this private key. You will need to enter this password to sign anything with this key. Then click “Forward”.
The program may complain about the password being too simple.
This article recommends that you do create a backup for your key when asked. Click “Apply”.
The key will be generated.
When prompted, select a location for your key backup. Save the file someplace SAFE. Remember, whoever gets this key and your password will be able to sign documents in your name until you revoke it. Also remember that if you loose your private key, you will never be able to sign any more documents with the same key, an identical key cannot be generated later.
It is recommended that you create a revocation certificate. This can be used to revoke your certificate in case of theft:
Start → All Programs → GnuPG For Windows → WinPT
Double click the key icon in your system tray
Right click your key in the window
Select the “Revoke Cert” option
Select a reason (you may repeat this procedure if you wish to generate more revocation certificates)
Enter your private key's password
Select where you want to put your revocation certificate. Save it someplace safe. Keep in mind that anyone that can use your revocation certificate can invalidate all your signatures.
Click OK
Your public key will be required to verify your signature. You may export the public key as a file and give it to the people who will have to verify it, but this article recommends the more practical alternative of uploading the public key to a public key server:
Start → All Programs → GnuPG For Windows → GPA
Right click your key on the list
Select “Send Keys to Server...”
Click “Yes”
By this point, your private key is ready and you can sign documents. There are two basic ways you can sign content, one is to sign text, the other is to sign files. When signing, remember that the content has to be identical in order for the signature to remain valid, any changes at all, including formatting changes will invalidate the signature. Signing text as opposed to files is recommended because it includes the signature within the text and not a separate file instead.
To sign a block of text or verify it's signature:
Start → All Programs → GnuPG For Windows → WinPT
Copy the text to sign or verify into the clipboard
Right click the key icon in your system tray
Clipboard → Sign to sign the content or Clipboard → Decrypt/Verify to verify signature
If you wanted to create a signature, paste the result where you need it. If you wanted to verify the signature, the result appears in a message box (when verifying a signature always take note of the key fingerprint, which should be identical for all signatures by the same person).
To sign a file:
Open the folder containing the file in Windows Explorer
Right click the file → GPGee → Sign...
Open the “Signing Keys” dropdown and tick your key
Click OK
To verify the signature of a file:
Open the folder containing the file in Windows Explorer
Right click the file containing the signature
GPGee → Decrypt/Verify
The result appears in a message box (when verifying a signature always take note of the key fingerprint, which should be identical for all signatures by the same person).
Using these software packages one can sign documents in a way that can be verified that the signature belongs to a specific person and that the content had not been tampered with since it was signed. The private key cannot be extrapolated from the signatures.
It remains to the user to ensure the key is kept safe so that it cannot be abused by other people. Passwords prevent people from abusing physical access to workstations, while keeping the private key itself private and unaccessible to people not authorized to work with it, and safe from accidental data loss, is an entirely different problem.
It is important to note that the signed document must include all the information that the author is certifying this way, signing a message saying “Yes” will not prove agreement with anything. It is thus highly recommended that at least a short description of the issue at hand and the current date be included in the document signed. The development of an official format is recommended.
GnuPG encryption engine:
kGPG graphical user interface:
http://developer.kde.org/~kgpg/
GPG4Win encrytion engline and graphical user interface package:
Enigmail email signing interface: