Search code examples
apachegnupgpublic-keysoftware-releaseprivate-key

How is the process of signing and verifying a release and why apache says that the signature file signed by a public key?

I have started learning GPG and I am a bit confused about the infos I have found. The GnuPG documentation says that

A signature is created using the private key of the signer

But at the Apache's site, they say:

The signature file is a digest of the original file signed by a public key...

And on the same site, in another section, they say the following:

A digital signature is created from an original document using a private key.

Now I suppose that the process of signing involves signing the hash of a release using the private key of the holder and not the public one like Apache says in the second link I have posted, or am I wrong? Otherwise, how could someone be ever able to decrypt the hash of a release signed with a public key if he/she doesn't have the private key of the holder?

Then, could someone simply explain in what the processes of signing and verifying a signature consist and what are the passages, e.g. for a software release like Apache Maven?

Solution

  • TL;DR: There is a mistake in the documentation, your understanding of signatures is right.

    The signature file is a digest of the original file signed by a public [sic, this is should be private] key...

    Signing a document usually is performed by calculating the hash sum of the document (asymmetric cryptography is very slow for large amounts of data), which finally is encrypted using the private key, so anybody can decrypt it using the public key. If the decryption process results in the same hash sum as is calculated from the original document, it must have been encrypted using the private key - which is only known to the signer; thus the authorship is verified.

    Encryption (leaving apart the aspect of hybrid cryptosystems like OpenPGP is, but the general concept stays the same) works the other way round; the public key is used for encryption, so only the private key can be used to decrypt the information.

    I added a bug report for the documentation issue (closed/fixed since 2015-07-29).

    Then, could someone simply explain in what the processes of signing and verifying a signature consist and what are the passages?, e.g. for a software release like Apache Maven -> https://maven.apache.org/download.cgi?Preferred=ftp://apache.mirrors.tds.net/pub/apache.org/ ?

    1. You need to fetch the public key used for signing the software (usually, you will download it from a keyserver using gpg --recv-key [key-id].
    2. Verify the key's integrity, for example by speaking with the developers, your web of trust, the products HTTPs-encrypted website (depending on how paranoid you're at verifying the authorship).
    3. Issue a signature to certify the key if it is not already verified through your web of trust, if you don't want to create a public one, there are also local signatures which are never transmitted to the key server network.
    4. Finally, use gpg --verify to check that the signature was indeed issued by the product maintainer's key.