We’re back! Back to PGP Cryptography tutorials!! Because when I want to learn something new I learn faster by writing a tutorial about it, sharing code and receiving feedback.
So in Part 4 I apologized that I did not have a lot of time and just showed how to integrate Bouncy Castle with Android by using SpongyCastle. Now I will go through how to generate and verify detached signatures. This has become important since Part 2 did teach how to sign and verify files, but the signature was embedded inside the file. Though this works, it did not work when trying to verify the file using a regular program like GPG / Kleopatra. Also not all PGP clients support ZLIB compression which could break compatibility. So I decided that the need to generate detached signatures was important.
Continuing with the previous examples we have the PGPTools file which I wrote to make cryptography easier with BC (Full source can be found here). Generating a detached signature file needs the following:
- The file you want to sign
- The name of signature file that will be generated
- The PGP Key ring that contains your secret and public keys
Another interesting thing to know to go by is the naming convention of these files. Most programs look for it and makes it easier for the user to utilize and for programs to find. Supposed there is a file called “TheFile.txt”, below is how the signature file would be named:
- ASCII Armored Signature: TheFile.txt.asc
- Binary Signature: TheFile.txt.sig
This is not mandatory, but a nice convention to follow.
Some of my favorite things to do in software engineering is use libraries with cool names. Nothing beats The Legion of the Bouncy Castle. I like that name so much that I decided to just start using it! Well actually I really needed to use PGP cryptography in one of my projects and though it would be nice to blog about it, but yeah cool name though.
So one of the tricky issues with using Bouncy Castle (we seriously do it a disservice by shortening its amazing name to just 2 words) is the lack of proper, complete and friendly documentation. You may find many articles on the net or tutorials, but I found them way too complex and some just didn’t know what they were doing.
The best option was to look at the Bouncy Castle source code and go directly to their examples package. There they give some pretty good examples and enough to build your own tools for their API. In this part of my series I will go over generating a full fledged DSA/El Gamal PGP Key Ring that is importable into PGP.