How to modify a GPG signed file while preserving the signature?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to modify a GPG signed file while preserving the signature?
Hi all.
I need to do some modifications to a GPG signed file (signed with my own gpg-key), but if I simply edit it the signature is no longer valid (as it would be expected).
What is the correct way to modify a GPG signed file? I'm thinking of:
1) remove the signature, edit the file, apply the signature again
2) remove the file, edit an unsigned backup copy then sign it
3) use some tool - which I'm not aware of - to edit the signed file.
Also I cannot find a gpg option to simply remove the signature from an already signed file. I see only options/commands to remove a key from my own database. Thank you.
If any other solution could work then GPG would be worthless.
Good point. I assumed that upon trying to remove the signature, gpg asked the secret passphrase, but maybe my assumption is totally wrong. Thank you, stress_junkie.
Method 1 would work too. The signature is basically just a unique hash of the file appended to the end (or perhaps at the beginning, dunno really for binary files). The 'file' itself doesn't get affected, so you can edit to your hearts content.
When you've finished, just resign it. It's easy to do with ASCII files by removing the relevant lines. For binary, the functionality is included in the --decrypt option. Just run 'gpg --output cleanfile --decrypt signedfile' which strips out the signature and uncompresses 'signedfile' to give you the original 'cleanfile'.
Hope this helps.
edit: I just re-read your method 1 proposition, and it doesn't work. You can't use an old signature on a modified file. As stress junkie correctly pointed out, it would make GPG worthless. There's not need to resort to a backup though, so you might still use the info above.
Last edited by beadyallen; 07-18-2008 at 09:28 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.