簽章驗證

1. 產生一個測試檔。

   [dywang@dywH rhcx]$ echo dyw123 > dywdemo.txt
   [dywang@dywH rhcx]$ cat dywdemo.txt
   dyw123
   

2. 讀取 passphrase 對 dywdemo.txt 做明文簽章，並存成 dywdemo.sign.txt 檔。

   [dywang@dywH rhcx]$ unset DISPLAY
   [dywang@dywH rhcx]$ gpg --passphrase-file passphrase --output dywdemo.sign.txt --clearsign dywdemo.txt
   
   You need a passphrase to unlock the secret key for
   user: "De-Yu Wang (rhcx) <dywang7@gamil.com>"
   2048-bit RSA key, ID 907CE30E, created 2013-06-20
   

3. 列出 demo.sign.txt 檔。

   [dywang@dywH rhcx]$ cat dywdemo.sign.txt 
   -----BEGIN PGP SIGNED MESSAGE-----
   Hash: SHA1
   
   dyw123
   -----BEGIN PGP SIGNATURE-----
   Version: GnuPG v2.0.14 (GNU/Linux)
   
   iQEcBAEBAgAGBQJTkOXnAAoJEAGgsPGQfOMOKEYIAJ++blVB12bw5AIYgg1k/TNy
   ZSSpbilAfYIFjMwmcBONwTyhkcTnSCKZsuCG6bK1Cv+PId3d+ot+JBP5g7GnskbJ
   dwEEWywPZSRw0tGajTZyVz792UlCYIy3TSXpMaXZTixI0DgRMbsEL/qiAflyzbtz
   9RirOXLlDTFxQhxs7y7N3sJkjcuEHvsBtZgGR1vtX30BB8Lm9zLxGBpJKGroKnH1
   m9jeDEWTYB/W5ieRa5nDbDEEA0IzN/DwEe/hhbOjOHIZ+LltH708EO3coQgDG9tz
   deLW02xwnUrOQ4SseOXLtdUTZXlwUN5dwJXwYtSC2HhZeOzbHsCmoqmr90i5fU4=
   =SPat
   -----END PGP SIGNATURE-----
   

4. 將 dywdemo.sign.txt 檔傳送到目的地。

   [dywang@dywH rhcx]$ scp dywdemo.sign.txt deyu1@kvm8.deyu.wang:
   The authenticity of host 'kvm8.deyu.wang (192.168.122.8)' can't be established.
   RSA key fingerprint is 27:37:84:f6:7e:de:90:75:b0:4c:6d:aa:62:a7:6e:2d.
   Are you sure you want to continue connecting (yes/no)? yes
   Warning: Permanently added 'kvm8.deyu.wang' (RSA) to the list of known hosts.
   Warning: the RSA host key for 'kvm8.deyu.wang' differs from the key for the IP address '192.168.122.8'
   Offending key for IP in /home/dywang/.ssh/known_hosts:3
   Are you sure you want to continue connecting (yes/no)? yes
   deyu1@kvm8.deyu.wang's password: 
   Permission denied, please try again.
   deyu1@kvm8.deyu.wang's password: 
   dywdemo.sign.txt                                                                                         100%  544     0.5KB/s   00:00 
   

5. 在主機 kvm8 的用戶 deyu1 先列出目前的 gpg keys，確認有 De-Yu Wang 的 公鑰。

   [deyu1@kvm8 ~]$ gpg --list-keys
   /home/deyu1/.gnupg/pubring.gpg
   ------------------------------
   pub   2048R/A98B198E 2014-05-26
   uid                  abc123 (ABC) <abc123@csie.cyut.edu.tw>
   sub   2048R/C039E2B6 2014-05-26
   
   pub   2048R/907CE30E 2013-06-20
   uid                  De-Yu Wang (rhcx) <dywang7@gamil.com>
   sub   2048R/26F7F452 2013-06-20
   

6. 驗證 dywdemo.sign.txt 檔的簽章，確實為 De-Yu Wang。確認訊息中會有一段警告訊息，提醒您即使 gpg 程式已確認此檔案的簽章，但還是不能保證此檔案的簽章確實由該本人所簽。

   [deyu1@kvm8 ~]$ gpg --verify dywdemo.sign.txt 
   gpg: Signature made Fri 06 Jun 2014 05:49:27 AM CST using RSA key ID 907CE30E
   gpg: Good signature from "De-Yu Wang (rhcx) <dywang7@gamil.com>"
   gpg: WARNING: This key is not certified with a trusted signature!
   gpg:          There is no indication that the signature belongs to the owner.
   Primary key fingerprint: C6DA 8C49 D1C5 ED1C 9029  C170 01A0 B0F1 907C E30E
   

7. 修改簽章檔 dywdemo.sign.txt，存成 dywdemo.signb.txt。

   [deyu1@kvm8 ~]$ cp dywdemo.sign.txt dywdemo.signb.txt 
   [deyu1@kvm8 ~]$ sed -i 's/dyw123/DYW123/' dywdemo.signb.txt 
   [deyu1@kvm8 ~]$ grep DYW123 dywdemo.signb.txt 
   DYW123
   

8. 驗證 dywdemo.signb.txt 的簽章，發現檔案內說明簽章者為 De-Yu Wang，但卻是錯的。

   [deyu1@kvm8 ~]$ gpg --verify dywdemo.signb.txt 
   gpg: Signature made Fri 06 Jun 2014 05:49:27 AM CST using RSA key ID 907CE30E
   gpg: BAD signature from "De-Yu Wang (rhcx) <dywang7@gamil.com>"