Endpoint Encryption

 View Only
  • 1.  pgp --verify verifies an encrypted file (which is not signed).

    Posted May 15, 2013 02:36 AM

    Hi,

    For an encrypted file, if I run the verify command, it returns the success. Please note, the file is not signed.

    Scenario -

    Creating the encrypted file.

    pgp --encrypt abc.txt --recipient <The owner of public key in your key ring/ to whom you want to send the encrypted file>

    (here recipient's pub ring is already imported and signed by private key).

    Verification of the file

    on the other side, once the file is received by the recipient, this file can be verified, with below command.

    pgp --verify abc.txt.pgp --passphrase <passphrase>

    This verifies successfully although this file is not signed.

    Please advice on below : -

    1. Is anyting missing here to avoid the encrypted file getting verified successfully.

    2. The basic requirement is if the file is not signed, verification should fail.

    3. Is it that, while encrypting, pgp is also adding the signautre (kind of) on the encrypted file which is verified while verification. Is yes, how to avoid the files getting signature on it.

     

    Thanks & Regards

    Abhijit

     



  • 2.  RE: pgp --verify verifies an encrypted file (which is not signed).

    Posted May 16, 2013 08:44 AM

    Just to add to it, the commandline returns the exitcode=0 which is then caught in the java code and treated as success.

    Expectation was : it would give a non zero exit code if the file was not signed and verification is ran.

     



  • 3.  RE: pgp --verify verifies an encrypted file (which is not signed).

    Posted May 16, 2013 04:23 PM

    I understand your expectation.  This is the current behavior, and we may change it in a future release.

    For now, the best solution I can offer is to parse the output of "pgp --verify" and look for output indicating that the message was signed.  In the output you will find

    3038:signing key <information about the key>

    if the key is available in your keyring, or

    3039: signing key <KeyID>

    if the key is not available.

    Regards,

     



  • 4.  RE: pgp --verify verifies an encrypted file (which is not signed).

    Posted May 17, 2013 12:15 AM

    Thanks David for the prompt reply, this will help us in the case when we try to verify and the key is not present.

    Imagine the public key (of sender) is present in key ring pair and sender sends an encrypted file which (not signed) and with expectation that its signed, we verify it, it gives us exitCode=0 i.e. success which we catch in Java code (the output/err stream of ProcessBuilder class).

    Is there any way, to identify if the file is signed only or encrypted only or both.

     

    Thanks in advance for your help.

     

     

     



  • 5.  RE: pgp --verify verifies an encrypted file (which is not signed).

    Posted May 17, 2013 03:50 PM

    Yes, if you have the signer's key in your keyring and run "pgp --verify [file name] --passphrase [your passphrase]" you'll see the following information printed for a file that was signed:

     

    [file name]:verify (3177:message signed by key ID [Key ID of Signer])
    [file name]:verify (3038:signing key [Key ID of Signer] [User ID of Signer])
    [file name]:verify (3040:signature created 2013-05-17T12:41:10-07:00)
    [file name]:verify (3170:signature hash SHA-256)
    [file name]:verify (3035:good signature)
     
    None of this information about the signature will be present if the file is not signed.  The numerical identifiers (3177, 3038, 3040, 3170, 3035) effectively identify the "status code" of parsing the file information.
     
    If you don't have the signing key available, you won't see code 3038, instead you will see 3039.
     
    Regards,
     


  • 6.  RE: pgp --verify verifies an encrypted file (which is not signed).

    Posted May 22, 2013 06:41 AM

    Thanks David, this helped us.

    =================

    1 more question.

    If a file (signed by someone else) needs to be verifried at our end and my key ring has multiple public keys (say 10-15 public keys or even more).

    Can i mention which specific public key to be used while verifying. (Although it is not reqd & PGP understand on its own), still to be specific, want to understand.

    Generally the command is -

    pgp --verify <FileName>.txt.pgp --passphrase <passphrase>

    Here, can we not have something like below ?

    pgp --verify <FileName>.txt.pgp --passphrase <passphrase> --<key_to_used> <KEY_NAME>

    Thanks in advance

    Abhijit



  • 7.  RE: pgp --verify verifies an encrypted file (which is not signed).

    Posted May 22, 2013 02:46 PM

    There isn't a way to do that exactly.  What you can do is look for status code 3177 and get the key ID used to do the signature and make sure that is the key you expect.

     



  • 8.  RE: pgp --verify verifies an encrypted file (which is not signed).
    Best Answer

    Posted May 28, 2013 05:35 AM

    Thanks David.