Endpoint Encryption

I'm using "PGP Desktop" to sign a file for a client using a test public key I created. The problem, as they describe it is as follows:

The file has a good signature now however it still failed PGP validation.  The reason it failed is because it’s now being clear-signed.  The signature is attached at the end of the file when it should encompass (wrap) the entire file for it to pass PGP validation.  Do you have an option to disable ‘clear-signing’?

When I right click the key in the software and view the key properties, I cannot find a way to modify properties of the key so that the signature wraps the message instead of being added at the end (a.k.a: clear-signing). It looked like the compression method may be the way to impact this, so I changed it to "ZIP". That didn't work.

Any assistance would be greatly appreciated!

Take it easy on me guys. I've done file encryption plenty of times, but never had a client request the files be signed in this way, so I'm struggling here. They do not support the use of "Kleopatra", and I'd like to leverage what I have. I KNOW this can be done using this tool.

Thanks!

What method are you using to encrypt and sign? 

You may have some terms mixed up.

Clear sign basically means you can open the file with notepad and see the signature at the end. If you go to open a doc in notepad and don't see Begin PGP signature -- that means it is not clear signed. Probably a normal signature within the compressed file.

-----BEGIN PGP SIGNATURE-----

Have you tried the checkbox for Save detached signature? That may work better for them. This will sign the file and keep the signature separate from the encrypted data and is often the most compatible signature method. 

Also, if it is just text, you can use the clipboard function to copy, encrypt, paste... then copy the encrypted message, sign and paste the signature. Grab some text by right clicking and copy to clipboard. Then use the system tray icon (R click)-> Clipboard -> Encrypt. Select your key. Paste the message. Select the encrypted message, copy. Go back to the system tray and choose clipboard -> Encrypt. Then go ahead and paste the signature after your message.

So those are all three signing methods...

1.) Default signing is wrapped into the PGP message. ( Or in the case of a .PGP file, it's contained within the compressed&encrypted file.)

2.) Clear sign shows the signature after the PGP message (Visible in notepad)

3.) Detached signature creates a separate file. (.SIG)You should keep it in the same location as the PGP file. Many programs will check for a .sig when they go to decrypt and verify.

Best Regards,

Phil

Phil: Thanks for the most helpful response!

With this client, we began by sending them the file pgp encrypted with the shared public key. This was fine except that on their end, the automated process (of which I know nothing) is two fold when they get a .pgp encrypted file, first is decrypts the file, then it appears to look for a signature. The decryption part worked fine, but the absence of a signature caused the process to fail. They then explained that raw encryption wasn't necessary required, but that all files coming to them had to be signed. So, using pgp desktop, I did the following:

Right clicked on the file to be signed, selected "Sign as <imported key here>". "Save detached key(s)" was left checked. And, as you indicated, this generated a detached signature file (.SIG).

This method was unacceptable to them, as they "do not support detached signatures."

Back to the drawing board, I then performed the same aforementioned step, but this time, unchecked the "Save detached keys(s)" box. The file was then signed, but had the .PGP extension. If you opened it in notepad, it looked like this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

<DATA CONTENT HERE>
-----BEGIN PGP SIGNATURE-----
Version: PGP SDK 4.0.1

<SIGNATURE HERE>
-----END PGP SIGNATURE-----

This is your item #2 and was unacceptable to them and regarded as "clear signed" Which they do not support. As they indicated, they needed the signature to encapsulate or "wrap" the message.

And you're right, I may be misusing and/or mixing terms a bit.

With item #1 you mentioned that default signing is wrapped into the PGP message. It doesn't appear that this is doable simply by encrypting a file using your imported public key. At least not for me. Can you tell me how to achieve this?

I did notice the copy and past option you mentioned, but I wasn't sure how to arrange the information in the file. I'll give this a try as well and see if I make any headway.

Thanks so much for the help!

One more detail. Below is the explanation given for the problem this client is having:

The test file failed.  The signature is appearing at the end of the file versus wrapping the file (see below).

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256

<DATA HERE>

-----BEGIN PGP SIGNATURE-----  < --- This should begin at the top where is says: “BEGIN PGP SIGNED MESSAGE.”

Version: PGP SDK 4.0.1

<SIGNATURE HERE>

-----END PGP SIGNATURE-----

It's almost as if all they require is to stick the signature at the front of the data, but that doesn't "wrap" the data in the signature.

These guys are really picky eh? 

With PGP Desktop, you either create an encrypted message from text, or you're creating a .PGP file, which is encrypted.

The effect your are looking for is done with text by copying the text to your clipboard. Then, going to system tray icon ( R click) and select "Clipboard - > Sign and encrypt". 

When you paste, you will get a message with the following header and footer : 

-----BEGIN PGP MESSAGE-----
Version: Encryption Desktop 10.3.x (Build xxxxx)
Charset: utf-8

-----END PGP MESSAGE-----

This is a Signed and encrypted message with a single wrapper. It may as well say 

-----BEGIN PGP Signed MESSAGE-----
Version: Encryption Desktop 10.3.x (Build xxxxx)
Charset: utf-8

-----END PGP MESSAGE-----

Since there IS a signature in there. It's just not announcing it in the header. You could put the word SIGNED in there manually if they are really that picky...

This method can't be used with files... For files, you'll just want to select

However, if you are sending them files ( not text ) the result will not include the PGP headers. So the closest thing you have is the clipboard method described above.

Alternatively to create a message formatted the way that they want it, you could use the clipboard method to ENCRYPT only, and paste that into notepad... Then highlight the data in the notepad, copy the encrypted message (Header and all) and then use the clipboard method to SIGN. Then you can paste the signature directly after the encrypted data. This is very manual of course, but you have a picky customer...

Really, your PGP Desktop client seems to be working fine, but the recipient is very picky about how they want the file created. You could also consider an open source alternative to try and meet their formatting needs. ( GPG4Win for example ) Ideally, for maximum compatibility you and the recipient should be using the same encryption software with similar versions.