Many businesses are responsible for maintaining large amounts of confidential data, including customer records, medical records, financial reports, sensitive documents, and much more. It’s very common for these types of information to be transmitted via email or other services. So how can you ensure confidential data transmitted via email is kept private? How can you ensure the integrity of transmitted data?

Businesses need to ensure confidentiality, data integrity, message authentication (proof of origin), and non-repudiation (proof of content and its origin). Read on to learn more about signing and verifying authenticity of the signed file.

GnuPG offers three options for signing data:

--detach-sign

Create binary or ASCII-armored detached signature from input

--clearsign

Wrap input in plaintext signature

--sign

Encode input into binary or ASCII-armored output with an integrated signature

Let's take a simple example of how to sign a document.

gpg --clearsign file.txt

Signed file is saved as file.txt.asc and this is the content:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I want to sign this message!
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEar1XMrK21wy...
-----END PGP SIGNATURE-----

Then you need to verify signed file:

gpg --verify file.txt.asc

You will see something like this:

gpg: Signature made Wed 26 Jan 2022 07:55:37 AM CET
gpg: Good signature from "alvosec info@alvosec.com"

A signed document has limited usefulness. Other users must recover the original document from the signed version, and even with clearsigned documents, the signed document must be edited to recover the original. Therefore, there is a third method for signing a document that creates a detached signature. A detached signature is created using the --detach-sig option.

gpg --detach-sign -o sig.gpg file.pdf

Both the document and detached signature are needed to verify the signature. The --verify option can be to check the signature.

gpg --verify sig.gpg file.pdf