PGP signing

Adam Sampson ats at offog.org
Mon Jun 9 14:35:44 UTC 2014


Allan Irving <allanirving at allanirving.co.uk> writes:

> What I see at the moment, when a message is just signed, is a wrapper
> consisting of the encryption type the public key uses and then the key
> itself towards the bottom. How does GPG prevent someone from copying this,
> spoofing an email address and then signing a message?

The signature data at the bottom isn't your public key. It's [*] a hash
of the message, encrypted with your private key. To verify the
signature, the receiver decrypts the signature using your public key,
and checks it matches the hash of the message they received.

If someone copied the signature onto a different message, the hash of
the new message wouldn't match the hash retrieved from the signature, so
verification would fail.

[*] This is simplified a bit, and there are other ways of doing digital
signatures that have the same effect. See the GPG manual:
  https://www.gnupg.org/gph/en/manual/x215.html

-- 
Adam Sampson <ats at offog.org>                         <http://offog.org/>



More information about the Discussion mailing list