Exploring signatures

Data Signatures #

(Data) signatures are a cryptographic tool to demonstrate the authenticity of some data.

In the narrowest sense, a data signature shows that some signer has used their key to issue a cryptographic statement about some data (such as an email message, or a source code archive).

Typically, OpenPGP data signatures signal either authorship (such as “this email has been written by me”), or approval (such as “this project certifies that this source code archive contains an official release of ours”)

“Inline”-Signing a message #

Inline signed messages combine the signed data and a signature over it into a “signed OpenPGP message”. Using the keys from the “hello world” article, we can produce a signed message like this:

echo "this is a message" | rsop inline-sign alice.tsk > signed.msg

Verifying the signature #

Anyone who has a copy of this message and Alice’s certificate (in the file alice.cert) can now verify this message’s signature:

cat signed.msg | rsop inline-verify alice.cert
this is a message

Note that rsop outputs the verified message body as confirmation that a valid signature exists.

Cleartext signed messages #

Cleartext signatures are a variation on regular inline signed messages. They can be produced like this:

echo "this is a message" | rsop inline-sign --as clearsigned alice.tsk > cleartext-signed.msg

Verifying cleartext signed messages with SOP works exactly the same as for regular inline signed messages.

See the section on cleartext signatures in openpgp.dev for more discussion.

Detached signatures #

Finally, in some contexts it is best to produce a signature that is kept in a separate file from the data that is signed.

For example, signatures over a source code archive. Let’s say we have a (potentially large) file called foobar_v0.1.1.tar.gz and want to create a signature over it.

Alice can produce a signature this like:

cat foobar_v0.1.1.tar.gz | rsop sign alice.tsk > foobar_v0.1.1.tar.gz.sig

Such a signature is always small, its size does not grow for larger signed payloads.

Verifying detached signatures #

Third parties can verify a detached signature with SOP, given the payload, the signature and Alice’s OpenPGP certificate:

cat foobar_v0.1.1.tar.gz | rsop verify foobar_v0.1.1.tar.gz.sig alice.cert
2025-04-24T16:21:04Z d06e89468da7be326c07b73769c818f11e3b8763 d06e89468da7be326c07b73769c818f11e3b8763 mode:binary {"signers":["alice.cert"]}

The SOP output when verifying a detached signature is more technical than for the other SOP commands we looked at, so far.

It shows the creation time of the signature, the fingerprint of the certificate and of specific component key that issued the signature, as well as the SOP input file that contained that particular certificate (which can be useful when giving a SOP implementation multiple files with multiple certificates to verify a signature against).