How to Clearsign and Verify a Message using PGP/GPG

Note that you will need to have GnuPG (GPG) installed before starting the tutorial.

The theory behind this is very similar to that of the signing a file, only that clearsigning allows you to sign messages not files. This is ideal for when you want to sign a Tweet, a blog post, or anything else of that nature.

GPG describes this method like this:

A common use of digital signatures is to sign usenet postings or email messages. In such situations it is undesirable to compress the document while signing it. The option --clearsign causes the document to be wrapped in an ASCII-armored signature but otherwise does not modify the document.

To create a clearsign, use this command:

gpg --clearsign doc.txt

Where “doc.txt” is the file that contains the message you want to clearsign. This will output a “doc.txt.asc” file which, when opened by Notepad or any other text editor, will have the message with the signature in the below form:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

Hello, this is a PGP clearsigned message. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQCxI0qdhZJRpAJYTrByv1tlgaf3S0Y08vh/qU6P4H/1IHij12+gUul9Y9x86Uo9Ko yKmaXFF6wFZtepBG5Dgbi//8kvi7I6ynZctsB7wib9yoUfmqJoxPwXOD8al0qHm3 1bCxI0qdhZJRpAruVOnfzKMQDhUceR/VWK6wEtUehXgW+4fiUCTmboNz2cnv1 9vQ+eZrtbrq2aZvzKMQDhUc+r2dH5BTdLOXfPEqRLuWMIGQMJHyNFS4JAOWfdYnP YyPMD880lhKl+8bLI/XZMih6f+9jOkFE8wFHN+UAVVn5sZ6TwmDJCFAxdLbQDvs/ OWQTJDDxIkxaDaS0vwrJ4L+m2yv1tlgaf3S0Y08vh/qUYn1Ov3Y6X0Rl/CQnq3M= =jSBM -----END PGP SIGNATURE-----

You can now copy all of this text over, and you have a clearsigned message!

To verify a clearsigned message, simply input this command:

gpg --verify doc.txt.asc

And it will tell you if it is verifiable. It will give you a warning about the file not having a detached signature, but you can disregard that warning if the first line says “good signature” or something to that degree.

Bonus: How to create a detached signature
GPG describes this method:

A signed document has limited usefulness. Other users must recover the original document from the signed version, and even with clearsigned documents, the signed document must be edited to recover the original. Therefore, there is a third method for signing a document that creates a detached signature. A detached signature is created using the --detach-sig option.

To create a detached signature, simply input this command:

gpg --output doc.sig --detach-sig doc.txt

Where “doc.txt” is the document you want to detach-sign and doc.sig is the detached signature.

Verifying such a document (using both the document and the detached signature file) can be done so:

gpg --verify doc.sig doc.txt

And you are Done!

7 Likes

When using vim go in command mode (press ESC) and then:

:%!gpg --clearsign

Then to save it to a file

:w myfile.asc

6 Likes

Awesome. No plugins needed, right?

1 Like

Right…
% means select the whole text
!cmd means pipe the selected text into the command cmd and substitute that text with the output of the command

The command can be anything, including pipes… %!gzip|base64

4 Likes

Aah thanks for putting this article up.
By the way GPG uses PGP in case people didn’t figure that out yet.

3 Likes