And for all intents and purposes, it's true. Someone who is much smarter than me, but who's name I don't remember, once said that. Security at the cost of usability comes at the cost of security It's a people solution, even if it's negative reinforcement. Imagine your boss would come in today and say "Look, if there is a warning and you ignore it, you could get fired", then I have quite a high incentive to not click that warning away. And if your reason for them to care is because it's mandatory, as you said, then that should be a good enough reason. Explain to them what a signature is, why it's important and why they should care. This is true for many security warnings, and unfortunately, there's not a lot you can do technology-wise.requires a people solution.īut what you can do is educate users.
If a computer asks them "Do you really want to do that?" then, they will just click whatever button they need to click for that message to go away. "Making someone care" is very difficult, and human psychology isn't really helping.įor example, when a user does something, they do that for a specific reason. Some people just don't care, and it's hard to fix that. What I mean by that is that you want recipients to verify the signature, so that they don't trust something they're not supposed to. A people problem.īefore, I stated that this is a "people problem". They could be lazy and always just unlock any box they find, just how they could just decrypt anything they find without checking who sent it. The problem in both scenarios is that you can't control how the other person is going to act. This is akin to them looking for the signature, verifying that it is correct, then unlocking the box and then reading the letter. You want the recipient of the message to verify your signature, then decrypt it and read your message. This is akin to writing a letter, putting it into a box, locking the box and then putting your signature on the box. You - the sender - generate a message, then encrypt it and then sign the encrypted message. You're trying to use technology to solve a people problem Where verify is a shell script that checks the status registers and aborts if required. Gpg -decrypt -status-fd –output confidential.txt signed.pgp | verify It can optionally output the status using -status-fd which can be used to check if the signature is fine using a simple script. So we will have to decrypt it first anyway to see the document. Gpg -decrypt –output confidential.txt signed.pgpĪfter some research, I found a very related question which seems to indicate that gnupg -sign -encrypt first signs and then encrypts a document. Gpg -–sign –-local-user -encrypt -recipient -output signed.pgp confidential.txt Here is the official manual, but it doesn't talk about doing everything in a single step. I tried using -signdirectly in the encryption command, but it just warns and decrypts the file which doesn't satisfy the mandatory signing requirement.
#Gpg suite decrypt verification
It works, but is this the correct way to encrypt, sign and decrypt a file if the signature verification has to be made mandatory at the recipient end? Especially, decrypting twice seems a bit odd. Gpg -decrypt –output confidential.txt confidential.gpg Gpg -decrypt –output confidential.pgp signed.pgp Gpg -–sign –-local-user -output signed.pgp confidential.pgp Gpg -encrypt -recipient -output confidential.pgp confidential.txt Here are the steps I am doing taking reference from this question: # Sender I am using gpg to encrypt and decrypt a file.
0 kommentar(er)
