Welcome to Part 4 of GPG/PGP Key series.

What we will learn: In last part we saw how to verify an encrypted sign (.sign) file to confirm if the files and their MD5SUMS were uploaded by the right person. In this part we will learn how to create those encrypted sign file so that your friends can also verify just as you did in the last part.

So let’s get started…

Step 1: Select a file to upload

Let’s assume that we are going to upload a file called “memtest.bin” so that people can download it. But before download they would like to verify if the file was really uploaded by you. You can download the “memtest.bin” file and use it to follow the tutorial.

Step 2: Create a MD5SUM for the file

Now we generate a MD5SUM checksum for the file “memtest.bin”.

# md5sum memtest.bin > MD5SUM

You should see something like this in the MD5SUM file:

# less MD5SUM
32fe76fda886150ffbf47d5c6e7b730f  memtest.bin

Note: You can create a MD5 checksum for any file (.doc, .iso, .bin and so on)

Step 3: Create an encrypted signature for MD5SUM

Lastly, we will sign the file MD5SUM that we created in Step 2.

# gpg --output MD5SUM.sign -abs MD5SUM

(You will be asked for your paraphrase)

The above command will create a file called MD5SUM.sign file whose contents will be like this:

Version: GnuPG v1.4.9 (GNU/Linux)


Step 4: Upload your files

Finally we will upload all the three files –  memtes.bin, MD5SUM and MD5SUM.sign that we created in above steps. Click here to see all the three files for example.

Now your friends or people who are interested in downloading your “memtest.bin” file can follow the steps in Part 3 to verify if the files were uploaded by you indeed.

That’s it!

Part 5: Backing up, Restoring, Revoking and Deleting your GPG/PGP keys in Debian

Be Sociable, Share!