 Welcome back everyone. Today we're going to be talking about using GPG to sign data. This is useful in a lot of different situations. Any time you have a file or any type of data that you want to make sure does not change and you want your users to make sure that it doesn't change. It's very useful to be able to sign the data that way they can verify in a very secure way that the data has not changed. So what I'm going to do, I have this empty folder. I'm going to create a file test.txt that contains just the word hello. Okay. Now this is a very easy or a very small file test.txt. Okay, so we have hello. So now I have this data and let's say that I wanted to sign this data. I want my users to know whether it has changed from the time that I've released it or not. So there's a couple different things you could do. So if you've ever seen digital forensic videos before we could do something like, I don't know, Shah. Shah wants some hello. test.txt. test.txt. Okay, and then this will generate hash value of this test.txt file. And with that hash value, I can basically post that hash value with, let's say on my website or with the file whenever I give it to my users. But the problem would be if somebody takes over my website, if my website gets hacked, then all that person has to do is modify that hash value. They could upload a new file, modify the hash value, and my users would at least think that the hash value is correct and it matches everything. So we can do a little bit better. And really the problem with hashes in this case is that it doesn't have, you know, times it doesn't have a user associated with it. A hash only says something about the data and that's it. Okay, so we can do a little bit better than that. So I've already, I have GPG installed and it's installed by default in every Linux distribution that I've used. So if we do GPG list secret keys, I've already generated a secret key. Now I'm going to sign the data with my secret key and then I'm going to, whenever I release the signature, then anyone who has my public key can verify that the data is correct. So in this case, I've already generated my secret key. I may do another video on how to generate secret keys, but we'll, so we'll see. And in the directory, I have my test.txt file. So we can do GPG-sign-test.txt and I've already put my password in once before, so it already kind of remember, memorize it for this session, but it should ask for your password and it says, okay, this key has signed the data. So if we look again, we get this test.txt and test.txt.gpg. Now if I do cat test.txt, then it's still hello. If I do cat test.txt.gpg, it's going to give us just this binary file or binary data. So I'm going to clear that out. And right. So now what's going on here is they've encapsulated our original file around GPG. So GPG, they didn't encrypt the data, but in the way that we signed it, it's kind of like it's encrypting it. So you have to use GPG to verify the signature and then you can extract the original data. Now, what does this mean in terms of usability? Well, if I, for example, modify test.txt, so I change the data, I can do GPG dash dash verify to verify the signature, and I can do test.txt.gpg. And here we have signature made when it was made good signature from my key. Okay, now the problem here is that my file changed, but because the data is actually encapsulated in this, this data did not change. Okay, so we can just upload this, but it's not very user friendly, because then you have to download test.txt.gpg, verify the data, and then extract the original, essentially. Okay. So what we tend to do instead is something a little bit different. So I'm going to remove this test.txt.gpg. I'm going to remove that. Now I have this test.txt only. Okay, if I do GPG dash dash detach, detach sign test.txt. Okay, so that's my passphrase again, and then it makes this, if we look this test.txt.sig. Okay, so if we look cat test.txt, okay, one hello test.txt.sig, we can do GPG dash dash verify test.txt.signature, we have to verify the signature. And what this is doing now, instead of encapsulating all of the data inside our GPG file, we have this detached signature. So this file is only a signature file. So you have to have the signature and the data, the original data in the same directory to be able to verify that the data is correct. Okay, so hit enter. We have assuming sign data and test.txt. Okay, signature made, good signature from here. Okay, now, if we go back and we edit test.txt, let's say go back to hello, then we try to verify the data again, we get a bad signature from Joshua James. Basically, we can't verify the data because the original file has changed. So I said that this was a little bit different than hashing. And the reason is, let me put this back one hello, okay, verify test.txt.sig. Okay, so here we have a good signature for this. Now, the reason that this is different from a hash, let's say that I have this text file, I hash it and then I put the hash and the text file on my website. If my website's compromised, or if my website's compromised, then they could change the file, and they could change the hash value. And there wouldn't really be, I mean, as long as the hash value is the same as for that file, my users probably wouldn't know. But if I have this signature, right, and my users look closely enough, basically, then the attacker would have to have access to my private key to be able to modify this. So my users could potentially see a wrong key ID, they could potentially see a wrong date or a strange date. And then they also might not see the correct emails or identities, basically. So if an attacker changes this text file, then the signature would be bad. If an attacker tries to change the signature, then my public key would not verify it correctly, right? So basically what this does is attaches a user identity or some sort of identity to a file. Now we tend to do detached signatures because they're a little bit easier to deal with. Some people just, I mean, might not want to test or might not want to verify the data. So we can just provide test dot text on our website or wherever we want to send it, and then give the signature as well. That way people who are security conscious can actually verify whether the data is correct or not. So this is really useful for large amounts of data or data that you think might potentially be altered from the time that you send it to the time that your recipients actually receive it. Again, this is not encrypting anything, we're just creating a signature to be able to verify whether the data is correct or not. So that's it for today. Thank you very much. If you like this video, please subscribe for more.