Sign files and messages

Signing files and messages

Signing files and/or messages means creating a signature over data. There are two ways to store the newly created signature:

by wrapping the file in an OpenPGP message structure which includes the signature
by creating a detached signature within its own file, leaving the signed data untouched

The first option has the advantage that everything is in one file. The advantage of the second option is that the signed file doesn't change, so that it can be used without unwrapping the OpenPGP message structure first.

Creating an inlined signature

$ sq sign --signer $FINGERPRINT $FILE

In this example a signature is created over the content of $FILE file using the key designated by $FINGERPRINT. Instead of using the data from a file, sq sign can also take data from STDIN.

$ echo "my message" | sq sign --signer $FINGERPRINT

The output of this operation is printed to STDOUT.

$ echo "my message" | sq sign --signer $FINGERPRINT
-----BEGIN PGP MESSAGE-----

xA0DAAoWQeEtk/c7kG4Byw9iAAAAAABleGFtcGx0ZQrCvQQAFgoAbwWCZyt6wAkQ
QeEtk/c7kG5HFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jn
72xkqs1135T2u5oIlngq51GwLmFm8jevOh4nssMT/WMWIQTlcn7y4+W/syeiLW1B
4S2T9zuQbgAA4VgBAK5XsyCTIA1VrZQYkKm7BpygYnco7K+IrWFR9ePczM3BAP9j
6V37oWwULdWG3vZsIweDNbjWfHeblOQzajAFjDEWDA==
=HkKe
-----END PGP MESSAGE-----

The output can either be redirected to a file by using > or by specifying --output $NEW_SIGNED_FILE.

Instead of using a key from the keystore (via --signer), a file containing a key can be used: --signer-file $KEYFILE.

Creating a detached signature

$ sq sign --signer $FINGERPRINT --signature-file $FILE  
-----BEGIN PGP SIGNATURE-----

wr0EABYKAG8FgmcrfMgJEEHhLZP3O5BuRxQAAAAAAB4AIHNhbHRAbm90YXRpb25z
LnNlcXVvaWEtcGdwLm9yZ9pEw/OyHXskP8ODrJIZdpKXKXa4cJdbYSnAYuevHk1j
FiEE5XJ+8uPlv7Mnoi1tQeEtk/c7kG4AABr1AP9H0PDDa6TH5ocDtrpxPuPa3Abq
VnWu8rw1pMaW7G1aHwD/RCxGUGskETDDRXmK4Sfl8JeqoKABEWXi9w6HaQD7SAA=
=nZsK
-----END PGP SIGNATURE-----

This time only the newly generated signature is printed to STDOUT, $FILE is left untouched. As with inline signing you can use --signer-file and --output.