Add Signed Verification with airSlate SignNow

Signature block verification

welcome back everyone today we're going to be talking about using GPG to sign data this is useful in a lot of different situations anytime you have a file or any type of data that you want to make sure does not change and you want your users to make sure that it doesn't change it's very useful to be able to assign the data that way they can verify in a very secure way that the data has not changed so what I'm going to do I have this empty folder I'm going to create a file test txt that contains just the word hello okay now this is a very easy very small file test on text okay so we have hello so now I have this data and let's say that I wanted to sign this data I want my users to know whether it has changed from the time that I've released it or not so there's a couple different things you could do so if you've ever seen digital forensic videos before we could do something like I don't know Shaw Shaw once um hello Tesla text test text okay and then this will generate hash value of this test text file and with the hash value I can basically post that hash value with say on my website or with with the file whenever I give it to my users but the problem would be if somebody takes over my website if my website gets hacked then all that person has to do is modify that hash value they could upload a new file modify the hash value and my users would at least think that the hash value is correct and it matches everything so we can do a little bit better and really the problem with hashes in this case is that it doesn't have you know x it doesn't have a user associated with it a hash only says something about the data and that's it okay so we can do a little bit better than that so I've already I have GPG installed and it's installed by default in every Linux distribution that I've used so if we do GPG list secret keys I've already generated a secret key now I'm going to sign the data with my secret key and then I'm going to whenever I release the signature than anyone who has my public key can verify that the data is correct so in this case I've already generated my secret key I may do another video on how to generate secret keys but well so we'll see and in the directory I have my test text file so we can do GPG - sign test text and I've already put my password in once before so it already kind of memorized it for this session but it should ask for your password and it says ok this key has signed the data so if we look again we get this test text and test text GPG now if I do cat test text then it's still hello if I do cat test text GPG it's going to give us just this binary file or binary data so I'm going to clear that help and right so now what what's going on here is they've encapsulated our original file around GPG so GPG they didn't encrypt the data but in the way that we signed it it's kind of like it's encrypting it so you have to use GPG to verify the signature and then you can extract the original data now what does this mean in terms of usability well if I for example modify test text so I change the data I can do GPG - - verify to verify the signature and I can do test text GPG and here we have signature made when it was made good signature from my key okay now the problem here is that my file changed but because the data is actually encapsulated in this this data did not change ok so we can just upload this but it's not very user friendly because then you have to download test text GPG verify the data then extract the original essentially okay so what we tend to do instead is something a little bit different so I'm going to remove this test text GPG we're going to remove that now I have this test text only okay if I do GPG - - detach detach sign test text okay so ask for my passphrase again and then it makes this we look this test test cig okay so if we look cat test text okay one hello test test cig we can do GPG - - verify test test signature we have to verify the signature and what this is doing now instead of encapsulating all of the data inside our GPG file we have this detached signature so this file is only a signature file so you have to have the signature and the data the original data in the same directory to be able to verify that the data is correct so hit enter we have assuming signed data in test text okay signature made good signature from here okay now if we go back and we edit test text let's say go back to hello then we try to verify the data again we get a bad signature from Joshua James basically we can't verify the data because the original file has changed so I said that this was a little bit different than hashing and the reason is I mean we put this back one hello okay verify test test AIESEC okay so here we have a good signature for this now the reason that this is different from a hash let's say that I have this text file I hash it and then I put the hash and the text file on my website if my website is compromised or if my website's compromised then they could change the file and they could change the hash value and there wouldn't really be I mean as long as the hash value is the same as for that file my users probably wouldn't know but if I have this signature right and my users look closely enough basically then the an attacker would have to have access to my private key to be able to modify this so my users could potentially see a wrong key ID they could potentially see a wrong date or a strange date and then they also might not see the correct you know emails or identities basically so if a attacker changes this text file then the signature would be bad if an attacker tries to change the signature then my public key would not verify it correctly right so basically what this does is attaches a user identity or some sort of identity to a file now we tend to do detached signatures because they're a little bit easier to deal with some people just I mean might not want to tests or might not want to verify the data so we can just provide test text on our website or wherever we want to send it and then give the signature as well that way people who are security conscious can actually verify that whether the data is correct or not so this is really useful for large amounts of data or data that you think might potentially be altered from the time that you send it to the time that your recipients actually receive it again this is not encrypting anything we're just creating a signature to be able to verify whether the data is correct or not so that's it for today thank you very much if you liked this video please subscribe for more [Music] you