St Andrews Homepage The University University Students Alumni & Friends University Crest
Research Centres University Staff Prospective Students
 Text Only

Signing Files with PGP

 

Quite often there is no real need to encrypt a document - for instance, a file which only needs a signature to authorise it can have a digital signature attached to it. Signing the file guarantees that it was last modified by the signer and not an impostor. Any subsequent changes to the document will invalidate the signature, thereby demonstrating that it has been tampered with.

There are several ways to sign a file. One is described below:

  • Open Windows Explorer
  • Select the file(s) you want to sign
  • Right click and point to PGP

 

  • Make sure that the Detached Signature box is ticked
  • Click on Sign and type your passphrase into the resulting dialogue box. This will create a detached signature file.

 

  • After signing, look in the folder where the original file was located. You will find there are now two files with similar names.

 

Checking that the signature is valid

To check the validity of the signature simply double-click on the .sig file. The following box should appear showing who signed the file:


If, however, the file has been changed in any way after it was signed, the result will be:

This type of signature meets the criteria in the Directive of the European Parliament and of the Council on a Common Framework for Electronic Signatures, ie

(a) it is uniquely linked to the signatory,
(b) it is capable of identifying the signatory,
(c) it is created using means that the signatory can maintain under his sole control, and
(d) it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.


Including the signature in the document

You can sign a document that you already have open.

  • Point to the padlock icon at the bottom right-hand corner of your screen
  • Choose Current Window and then Sign.
  • Supply your passphrase as required

NB - note the difference between this and the earlier passphrase box - there is no Detached Signature check box.


The result will be something like this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is simply the text of the message. It has not been encrypted, simply signed. You can use this sort of procedure [called clearsigning] for Word files, but not for other file types such as Excel.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOTTwemXwVshkpUaFEQIjvgCg4ZZKcn0FxCiqXAkfsaeE+uEbrhwAn3La
vWnpCeN/Rq0T888ZXPu9ZUD6
=egqh
-----END PGP SIGNATURE-----


To verify such a signature, simply point to the padlock again, but this time choose Current Window/Decrypt and Verify. This should result in something like this:

 

'Locking' a signed file

There is a possibility that the recipient of a signed file may (inadvertently or intentionally) change the content, thereby invalidating the signature. You can prevent this by password protecting the file BEFORE you sign it.

With the relevant Word file open, go to Save As and choose Options in the resulting dialogue box.
In the bottom right of next dialogue box type a password into the box called Password to Modify. You will be asked to retype this.

You can then sign the file and send it to where it is going. When the recipient opens the file he/she will have to choose 'Read Only' in order to open it, thus preserving its integrity.

PGP will still be able to verify the signature, however.


Back to PGP Index Page

 

 
 
St Andrews Homepage
       Top of page
Home - Site Index - Getting to St Andrews - Diary - Telephone Directory - Site Feedback
© 2001 University of St Andrews