the Gnome privacy Guard (GnuPG, currently "gpg2") can be incorporated into software where security is needed
we have been stepping through how this is done in the ENIGMAIL plugin for the Thunderbird eMail client
you can play with GnuPG in TERMINAL,-- if you like to learn more about it. Open terminal and enter
you should get something like this:
Code: Select all
$ gpg2 --version
gpg (GnuPG) 2.0.26
libgcrypt 1.6.3
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA, RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
you can enter
and it will display all of the tokens you can use on the command line
one of the features that is critically needed is the detached signature
in any case where you have a file and you want to authenticate it -- you can create a detached signature for that
in my example here I have a test file: test.txt:
Code: Select all
This has been a test.
Had it been an actual alert you would not have received this message.
I want to make a signature for it so that you can verify its authenticity. this is easy to do on command line but remember this can be incorporated into packaged software
Code: Select all
$ gpg2 --local-user "Mike Acker" --detach-sign --armor --sign test.txt
You need a passphrase to unlock the secret key for
user: "Mike Acker <mike_acker@charter.net>"
4096-bit RSA key, ID 4DEA0DAD, created 2015-09-02
the result is an added file: test.txt.asc
Code: Select all
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJV+UeoAAoJEPbpQbFN6g2tAMsQAJIKdoVCK+2+cjtZjzwRlrib
hNNf6mriq6IMQniLffUuBwPi2+ImpR6BLexBmcG5xqlxOjLhuN8oYzCe6ijqO8cO
KnGe6XgmsbuYZ+pU5CQtJRKagqYGozk2XzszcQD3CnnmUVkXOR8n+hXHKUUSpdh9
cIp8K55LChGsuTSY42NvJT6tsvk56IuDb7Lw8U1JgfuxmsiBY/ZtpjcTkYL92j31
HHkMkeiFY5YboGRMO94TjV5wRuZZpqqaXFfK5iOVmmJRsuphhK7ZtngjJ6zGIZcv
Omi9xvXq4a90bv9FYPmyay9LGASXFubyy7ipvuMLcb8nfZwVDmxvG9i6P3z9PHHB
gwkHNWnNON9gBGLy4UXMm4HeIKI7V+JtmMbyTQrVdle82udX6KUQi2bh2hzm24Su
3+NMU/WburtTYvI4NdbqrRTjtFVNLPmHNCLPK5/CHEPue/YDXclagdDSM9Vd2wP5
rlMHCjUUtfD03M4+gOb07tLis86CkVVAD9fV8xWfM2+5fQGAW0mmaUUiUlH00lS9
PcBJ8P6nUAC+aJX2m/4eERnxqTRjD5PoEThd9+UCMjYPyHAOMA2pgKic/0cW+VHe
0MvbBYHIxegBLfC8yF7jI+GenrecdCI8Hk8zkvXqzWqXF24W5vNA673tbbxvTrH+
W4BL7dINw7EBRUI1PnSa
=kbcV
-----END PGP SIGNATURE-----
the signature can then be used to authenticate the document -- provided that you have a trusted copy of my public key:
Code: Select all
$ gpg2 --verify test.txt.asc
gpg: assuming signed data in 'test.txt'
gpg: Signature made Wed 16 Sep 2015 06:42:48 AM EDT using RSA key ID 4DEA0DAD
gpg: Good signature from "Mike Acker <mike_acker@charter.net>" [ultimate]
if even one bit is changed in the corresponding file -- test.txt corresponds with test.txt.asc -- the signature will not verify
Code: Select all
$ gpg2 --verify test.txt.asc
gpg: assuming signed data in 'test.txt'
gpg: Signature made Wed 16 Sep 2015 06:42:48 AM EDT using RSA key ID 4DEA0DAD
gpg: BAD signature from "Mike Acker <mike_acker@charter.net>" [ultimate]
all that i did was to add a line feed character to the end of the last line. if I did anything at all to the test.txt file it will not verify
Code: Select all
This has been a test.
Had it been an actual alert you would not have received this message.
in the next annex we will talk about forms 1040. remember: if you have several documents that need to be submitted together they should be zipped. the .zip is then signed and then the signature with the .zip containing the documents can be zipped into a transmittal package. this is the manner in which Symantec/PGP products have been delivered . while this might sound like a lot of fuss -- remember -- the process should be incorporated into a software solution so that it is done automatically . the only thing external is the need to verify and authenticate the encryption keys,-- i.e. make sure you know who you are communicating with. this is important for Forms 1040 and similar business .