Linux Intro: Signing and verifying data using GPG

preview_player
Показать описание
In this video we will be using GPG to sign and verify data. Signing is used as a secure way to check whether data has been modified from the time of signing. We sign the data with our private key. Other users can verify the data and signature by using your public key.

We are using Ubuntu Linux with the default install of GPG. Private keys were already generated.

010001000100011001010011011000110110100101100101011011100110001101100101
Get more Digital Forensic Science

010100110111010101100010011100110110001101110010011010010110001001100101

Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing.
  1. DFIRScience
  2. Data Signing
  3. gpg signing
  4. gpg signature
  5. gpg sign
  6. gnu pgp sign
Рекомендации по теме
Linux Intro: Signing 0:08:31

Linux Intro: Signing and verifying data using GPG

UEFI Linux Secure 0:32:08

UEFI Linux Secure Boot Kernel Signing and Verification demo

Digital Signatures 0:03:36

Digital Signatures

Verify Digital Signatures 0:01:59

Verify Digital Signatures (Linux)

Tsurugi Linux: Download, 0:14:14

Tsurugi Linux: Download, verify and first start

How to Verify 0:05:29

How to Verify Checksums In Linux

Linux Mint 22 0:28:24

Linux Mint 22 Verify ISO

Howto Verify TailsOS 0:02:08

Howto Verify TailsOS ISO signature on Parrot Linux

How to Verify 0:03:56

How to Verify Checksum in Linux [GUI and Command Line]

Arch Linux VERIFY 0:14:27

Arch Linux VERIFY Aug 2024

Your Linux Server: 0:18:13

Your Linux Server: Introduction 0001

How to verify 0:03:52

How to verify signatures in Linux [HD]

Grokking Linux - 0:19:11

Grokking Linux - A very brief intro to some terms for Linux Newbies

Introduction to Memory 0:51:19

Introduction to Memory Management in Linux

Deepin Linux - 0:18:24

Deepin Linux - Continuous Key Signing Party Introduction

'Basic Authentication' in 0:05:07

'Basic Authentication' in Five Minutes

Linux Tutorial for 0:08:03

Linux Tutorial for Beginners - 9 - Verify Files Using Checksum

Hardware Wallets in 0:10:03

Hardware Wallets in TAILS or Ubuntu Linux - Verify GPG Electrum, udev rules, sweep Paper Wallet

How to verify 0:06:08

How to verify authenticity of downloaded files on Linux

C++ Programming on 0:20:14

C++ Programming on Linux - OpenSSL RSA Digital Signature Sign and Verify

Arch Linux: PGP 0:11:33

Arch Linux: PGP Signature Is Corrupted???

Intro to Linux 0:00:34

Intro to Linux Security

Secure boot in 0:21:47

Secure boot in embedded Linux systems, Thomas Perrot

How to digitally 0:02:15

How to digitally sign a PDF file in Linux [Quick guide]

Комментарии
Автор

This is exactly what I was looking for. Thank you so much. Many of my non tech friends find this boring but I find it fascinating

jacksmith
Автор

6:22 "if my website is compromised... they could change the hash"
7:22 "if an attacker changed the file my public key would not verify it correctly"

They still need to have somehow received a valid public key which wasn't compromised and this isn't something you addressed.

foobars
Автор

Hi, James, thank you very much for your tutorial which I found very well explained and useful.

MsDelta
Автор

this is better and different than using just a hash which a hacker can modify if they change the file, in that even if they change the signature file too, your gpg wont pass the verification because the hacker signed the file with a key different than the legitimate one which you must have imported before and which your system trusts.

SirSidi
Автор

Hello, Very detailed explanation, appreciate the good work .

nikiit
Автор

what if the attacker gets the original file&signature, verify it, copy that info, and generates its own signature recreating all that info?

claudioa.parragonzalez
Автор

Just wondering if you setup tac to be an alias for cat?

nipponese
Автор

im only 2 min in this but this is a nice video, Im subscribing

bitcanics
Автор

Good, clear content on a specific issue. Cheers

hellothere
Автор

Could you please point the other video where you explain how to generate keys? Thank you.

deltakid
Автор

Cant the attacker make his own set of key pair using the info displayed (Name, mail) and modify the text and now generate the new signature file. And yes, may be the ID and time would have changed, but those give no authenticity.

cipherswami
Автор

Thanks for the useful video, but TBH I would have preferred without the backing track.

drmaybe
Автор

So the signature is basically a hash for the data, that is salted with the private GPG/PGP key, so there can not be created a hash/signature for that data without the private key only you have.
Am I correct?
If this is how it is, you would probably have to store the public key on a third party place so it can not be replaced.

mrt_
Автор

Content is good, but please turn off the background music next time ;)

christophlinse
Автор

.gpg binary file can be either signature or public key right? How do we know which is it?

jayshah
Автор

well how are other people supposed to get the public key?

Kirmo
Автор

Hello! Returning to the example: "If your system is compromised", the attacker could put a new test.txt and create a new signature putting your same data that appears in the verification, so what is the point of all this? I wish someone could clarify this doubt for me. Thank you.

ajlozadaro
Автор

I'm running gpg on Windows via MSYS2 and getting the error message "gpg: Can't check signature: public key not found". Any ideas? Thanks

isapir
Автор

But how can the users verify that your public key hasn't been tampered with? Seems like it's the same problem with using hashes in the first place? Can you make a video on how to safely share your public key without it being tampered?

zaidgharaybeh
Автор

Do we need the awful music in the background?

Otherwise, that was a good job. Everything you said was correct.

armandoargolvini