gnupg - How is the process of signing and verifying a release and why apache says that the signature file signed by a public key? -


i have started learning gpg , bit confused infos have found. gnupg documentation says that

a signature created using private key of signer

but @ apache's site, say:

the signature file digest of original file signed public key...

and on same site, in section, following:

a digital signature created original document using private key.

now suppose process of signing involves signing hash of release using private key of holder , not public 1 apache says in second link have posted, or wrong? otherwise, how ever able decrypt hash of release signed public key if he/she doesn't have private key of holder?

then, explain in processes of signing , verifying signature consist , passages, e.g. software release apache maven?

tl;dr: there mistake in documentation, understanding of signatures right.

the signature file digest of original file signed public [sic, should private] key...

signing document performed calculating hash sum of document (asymmetric cryptography slow large amounts of data), encrypted using private key, can decrypt using public key. if decryption process results in same hash sum calculated original document, must have been encrypted using private key - known signer; authorship verified.

encryption (leaving apart aspect of hybrid cryptosystems openpgp is, general concept stays same) works other way round; public key used encryption, private key can used decrypt information.

i added bug report documentation issue (closed/fixed since 2015-07-29).

then, explain in processes of signing , verifying signature consist , passages?, e.g. software release apache maven -> https://maven.apache.org/download.cgi?preferred=ftp://apache.mirrors.tds.net/pub/apache.org/ ?

  1. you need fetch public key used signing software (usually, download keyserver using gpg --recv-key [key-id].
  2. verify key's integrity, example speaking developers, web of trust, products https-encrypted website (depending on how paranoid you're @ verifying authorship).
  3. issue signature certify key if not verified through web of trust, if don't want create public one, there local signatures never transmitted key server network.
  4. finally, use gpg --verify check signature indeed issued product maintainer's key.

Comments

Popular posts from this blog

python - pip install -U PySide error -

arrays - C++ error: a brace-enclosed initializer is not allowed here before ‘{’ token -

cytoscape.js - How to add nodes to Dagre layout with Cytoscape -