Signing Files with PGP
Quite often there is no real need to encrypt a document - for instance,
a file which only needs a signature to authorise it can have a digital
signature attached to it. Signing the file guarantees that it was last
modified by the signer and not an impostor. Any subsequent changes to
the document will invalidate the signature, thereby demonstrating that
it has been tampered with.
There are several ways to sign a file. One is described below:
- Open Windows Explorer
- Select the file(s) you want to sign
- Right click and point to PGP
- Make sure that the Detached Signature box is ticked
- Click on Sign and type your passphrase into the resulting
dialogue box. This will create a detached signature file.
- After signing, look in the folder where the original file was located.
You will find there are now two files with similar names.
Checking that the signature is valid
To check the validity of the signature simply double-click on the .sig
file. The following box should appear showing who signed the file:
If, however, the file has been changed in any way after it was signed,
the result will be:
This type of signature meets the criteria in the Directive of the European
Parliament and of the Council on a Common Framework for Electronic Signatures,
(a) it is uniquely linked to the signatory,
(b) it is capable of identifying the signatory,
(c) it is created using means that the signatory can maintain under
his sole control, and
(d) it is linked to the data to which it relates in such a manner that
any subsequent change of the data is detectable.
Including the signature in the document
You can sign a document that you already have open.
- Point to the padlock icon at the bottom right-hand corner
of your screen
- Choose Current Window and then Sign.
- Supply your passphrase as required
NB - note the difference between this and the earlier passphrase box
- there is no Detached Signature check box.
The result will be something like this:
-----BEGIN PGP SIGNED MESSAGE-----
This is simply the text of the message. It has not been encrypted,
simply signed. You can use this sort of procedure [called clearsigning]
for Word files, but not for other file types such as Excel.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
-----END PGP SIGNATURE-----
To verify such a signature, simply point to the padlock
again, but this time choose Current Window/Decrypt and Verify.
This should result in something like this:
'Locking' a signed file
There is a possibility that the recipient of a signed file may (inadvertently
or intentionally) change the content, thereby invalidating the signature.
You can prevent this by password protecting the file BEFORE you
With the relevant Word file open, go to Save As and choose Options
in the resulting dialogue box.
In the bottom right of next dialogue box type a password into the box
called Password to Modify. You will be asked to retype this.
You can then sign the file and send it to where it is going. When the
recipient opens the file he/she will have to choose 'Read Only' in order
to open it, thus preserving its integrity.
PGP will still be able to verify the signature, however.
Back to PGP Index Page