vanitasvitae/openpgp-notes
1
0
Fork 0
mirror of https://codeberg.org/openpgp/notes.git synced 2024-11-23 08:02:05 +01:00
Code Issues Projects Releases Packages Wiki Activity

Add new signature diagrams. Add some more text and structure for them.

Browse source
This commit is contained in:
Heiko Schaefer 2023-11-05 22:57:20 +01:00
parent 1dc7a7f116
commit d1e23fef9e
No known key found for this signature in database
GPG key ID: DAE9A9050FCCF1EB
1 changed files with 30 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
book/source/06-signatures.md
View file

@ -67,18 +67,43 @@ As outlined above, an OpenPGP signature is a composite data structure, which com
Structure of an OpenPGP signature packet
```
### Generation and validation of cryptographic signatures in OpenPGP
### Creating an OpenPGP signature packet
The central element of an OpenPGP signature packet is the raw cryptographic signature it contains. This cryptographic signature is calculated by the issuer of that signature packet.
When someone creates a signature packet, their goal is to make some type of statement about a set of input data, and encode this statement in the signature packet.
In abstract terms, the cryptographic signature certifies a set of input data ("signature over"): The signer is making a statement about that set of input data. That statement is encoded as the signature packet.
The input data consists of:
If we look more closely, the cryptographic signature is actually calculated in two steps:
- a number of packets (usually one or more packets, but in some cases none), which the signature statement is about, and
- some of the data in the signature packet itself. This data specifies the intent of the signature.
The signature type determines which data is used as the input data. Either way, the input data always consists of the information that the signature makes a statement about.
The signature packet consists of two parts:
- The data that defines the meaning of the statement, and
- A cryptographic digital signature with which the signer formally endorses that statement.
So the signature packet hinges on that cryptographic signature. It is produced by the issuer as follows:
1. A hash digest is calculated from the set of input data.
2. The signature is calculated for this hash digest.
The exact input data depends on the signature type. However, the input data always comprises the information that the signature makes a statement about. It includes the metadata in the OpenPGP signature packet itself.
```{figure} diag/Signature_Creation.png
Creating a signature in OpenPGP
```
### Verifying an OpenPGP signature packet
Verification of a signature packet involves many of the same steps. There are two main differences:
- While only the signer of the signature packet can create the cryptographic signature that it contains, everyone can verify the signature, provided they have access to the public key of the signer.
- After calculating the hash digest, a signature verification mechanism is used, based on the hash digest, the cryptographic signature, and the signer public key, to check if the signature is cryptographically valid.
```{figure} diag/Signature_Verification.png
Verifying a signature in OpenPGP
```
(signature_subpackets)=
## Signature subpackets