Clearsigning

Clearsigning a message is the addition of a digital signature to a message that has been left in text form so that it can be read without the need for PGP. In the future, PGP should be combined with Multimedia Internet Mail Enhancements (MIME) to sign messages, but at this time PGP has its own method. Clearsigning can only sign text files. If a binary file is chosen, PGP will revert to a normal signature on the file instead of clearsigning it.

When PGP clearsigns a message, the output is a PGP file that is partially protected in ASCII armor. Clearsigning does not armor the message itself, only the signature on the message. The message must be capable of being transported without armor protection. Although PGP does not wrap the clearsigned message in armor, it may quote parts of the message. In particular, PGP will quote lines that have a leading dash, or start with the string “From .” When PGP quotes a line, it adds a leading dash (-) followed by a space.

Note that the output of clearsigning a message is a PGP file, not a text file. Even though the output is readable using a text editor or mail reader, the actual text may be modified by the signer (that is, quoted), so anything that depends on the text itself should be used only on the output from PGP. For example, a clearsigned PostScript file may not execute on the remote side due to the clearsigned quoting until PGP is used to retrieve the original text.

It is important that you understand the distinction between a PGP file and a text file. Though a clearsigned message is readable, it is not necessarily the original message sent. You should always run PGP on clearsigned messages and use the output from PGP as the original message; never use the contents of a clearsigned message and run PGP just to verify the signature. Instead, you should always use PGP to unquote the clearsigned message before running the text file through any other processor.

~> pgp -sat message
Pretty Good Privacy(tm) 2.6.2 - Public-key encryption for the masses.
(c) 1990-1994 Philip Zimmermann, Phil’s Pretty Good Software. 11 Oct 94
Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
Distributed by the Massachusetts Institute of Technology.
Export of this software may be restricted by the U.S. government.
Current time: 1995/11/19 05:17 GMT

A secret key is required to make a signature.
You need a pass phrase to unlock your RSA secret key.
Key for user ID “Ruth Thomas <tara@mail.Free.NET>“

Enter pass phrase:

Because a signature is requested, PGP asks for the pass phrase of the secret key. By default, PGP uses the first secret key on the secret key ring, which is the most recently created key. As an alternative, you can also specify the secret key used to sign the message by using the -u command-line option or by specifying the MYNAME variable in the configuration file.

Pass phrase is good.
Key for user ID: Ruth Thomas <tara@mail.Free.NET>
1024-bit key, Key ID D0C6326D, created 1995/11/14
Just a moment....
Clear signature file: message.asc

Detached Signatures

A detached signature is a signature that is stored separately from the file it is meant to protect—the original file is unmodified. This scenario is usually used to sign files in-place, such as package distributions and system programs. Any time you want to sign a message but not require the recipient to use PGP on the original file, you probably want to use detached signatures.

A detached signature has the same information as a normal signature: who signed the file, when it was signed, and signature data. The difference is that the signature file and signed file must be transmitted separately. If the signed file is an executable program, this may be the most useful way to verify the program. For example, you could sign the PGP binary using a separate signature so that someone can later verify the signature on the binary. To generate a separate signature, use the -sb option to PGP:

~> pgp -sba text file
Pretty Good Privacy(tm) 2.6.2 - Public-key encryption for the masses.
(c) 1990-1994 Philip Zimmermann, Phil’s Pretty Good Software. 11 Oct 94
Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
Distributed by the Massachusetts Institute of Technology.
Export of this software may be restricted by the U.S. government.
Current time: 1995/11/27 20:09 GMT

A secret key is required to make a signature.
You need a pass phrase to unlock your RSA secret key.
Key for user ID “Ruth Thomas <tara@mail.Free.NET>

Enter pass phrase:

PGP will ask for the pass phrase of the current secret key. This pass phrase will open the key so that it can be used to generate the signature. When the key is successfully opened, PGP will put the signature in a separate file, leaving the original file intact.

Pass phrase is good.
Key for user ID: Ruth Thomas <tara@mail.Free.NET>
1024-bit key, Key ID D0C6326D, created 1995/11/14
Just a moment....
Transport armor file: text file.asc

The output message is just the signature on the original file. The original file can be a text file, a binary file, an executable, or anything else. A signature looks like this:

-----BEGIN PGP MESSAGE-----
Version: 2.6.2

iQCVAwUAMLoa4kj/XP7QxjJtAQEzMgP/ZlQRGio1xYPxJnTaflxhmX5s5b66WN6Z
PMZo3LcO/K6HwFuunL0u0qt6rwKOHd5gm83GEv6Xic8MwraYT347hY86QWYFbw7A
aEAXQPY1PNK8YD6ZPm38ChXXjAzqEEYHYO10KBA5FGKuEpv1GhpYAuau0FwftZVN
r/e1rB6/2A8=
=15Fb
-----END PGP MESSAGE-----