0

It is my understanding that when file is signed with gpg the signature will provide 2 guarantees, a proof of ownership of the signature and the integrity of the signed data.

lets say I have a doc.txt I want to sigh, so I use:

gpg --output doc.sig --detach-sig doc.txt

but I see that many software destitution use a slightly different scheme to provide the same guarantee using extra step.

instead of signing doc.tx directly with gpg a checksum of doc.txt is created and then this checksum is signed with gpg.

So why add this extra step with the checksum file?

p3t3
  • 1
  • 1
  • If you clear-sign (a file containing) the hash, someone without a working PGP implementation can still check the hash; that protects against some possible problems, though not as many as checking the signature. Also you can have a single file of hashes that covers multiple data files (especially with the 'standard' format used by Unix sha1sum -c etc), while a PGP signature must be one-for-one, and if you use detached signatures (to keep the data files 'clean') that's often a zoo of tiny files cluttering up your system. – dave_thompson_085 May 07 '20 at 02:33
  • Thanks, makes sense to take the checksum route when dealing with multiple data files. – p3t3 May 07 '20 at 06:09

1 Answers1

2

Imagine you have a 250GB file (a disk image, a Blu-Ray movie, something very large), and you want to sign it. It would be a massive process to calculate the digital signature of it. And to check the signature would be massive too. You would not want that.

Instead, you use a good, fast hash (SHA-family or MD5, for example), calculate the hash of the file, and use the slow, CPU-intensive digital signature only on the very small hash.

If anyone changes the file, the hash will change and invalidate the signature. if someone alters the hash, the verification will fail. Either way you are protected.

ThoriumBR
  • 53,925
  • 13
  • 135
  • 152
  • 3
    All signature algorithms supported by PGP (and most others too) already start by hashing the data, so the performance is identical either way. – dave_thompson_085 May 07 '20 at 02:34
  • Also, without applying the hash function first, the message would have to be split into blocks small enough for the digital signature algorithm to act on each block separately. This would complicate not only the signing process, but the verification process as well. – mti2935 Jun 05 '20 at 23:30