Welcome to Part 4 of GPG/PGP Key series.
What we will learn: In last part we saw how to verify an encrypted sign (.sign) file to confirm if the files and their MD5SUMS were uploaded by the right person. In this part we will learn how to create those encrypted sign file so that your friends can also verify just as you did in the last part.
So let’s get started…
Step 1: Select a file to upload
Let’s assume that we are going to upload a file called “memtest.bin” so that people can download it. But before download they would like to verify if the file was really uploaded by you. You can download the “memtest.bin” file and use it to follow the tutorial.
Step 2: Create a MD5SUM for the file
Now we generate a MD5SUM checksum for the file “memtest.bin”.
# md5sum memtest.bin > MD5SUM
You should see something like this in the MD5SUM file:
# less MD5SUM
Note: You can create a MD5 checksum for any file (.doc, .iso, .bin and so on)
Step 3: Create an encrypted signature for MD5SUM
Lastly, we will sign the file MD5SUM that we created in Step 2.
# gpg --output MD5SUM.sign -abs MD5SUM
(You will be asked for your paraphrase)
The above command will create a file called MD5SUM.sign file whose contents will be like this:
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.9 (GNU/Linux)
—–END PGP SIGNATURE—–
Step 4: Upload your files
Finally we will upload all the three files – memtes.bin, MD5SUM and MD5SUM.sign that we created in above steps. Click here to see all the three files for example.
Now your friends or people who are interested in downloading your “memtest.bin” file can follow the steps in Part 3 to verify if the files were uploaded by you indeed.