Allan Irving <[email protected]> writes: > What I see at the moment, when a message is just signed, is a wrapper > consisting of the encryption type the public key uses and then the key > itself towards the bottom. How does GPG prevent someone from copying this, > spoofing an email address and then signing a message?
The signature data at the bottom isn't your public key. It's [*] a hash of the message, encrypted with your private key. To verify the signature, the receiver decrypts the signature using your public key, and checks it matches the hash of the message they received. If someone copied the signature onto a different message, the hash of the new message wouldn't match the hash retrieved from the signature, so verification would fail. [*] This is simplified a bit, and there are other ways of doing digital signatures that have the same effect. See the GPG manual: https://www.gnupg.org/gph/en/manual/x215.html -- Adam Sampson <[email protected]> <http://offog.org/> _______________________________________________ Discussion mailing list [email protected] https://mail.fsfeurope.org/mailman/listinfo/discussion
