I am using gpg
to encrypt and decrypt a file. Here are the steps I am doing taking reference from this question:
# Sender
gpg --encrypt --recipient recipient@gmail.com --output confidential.pgp confidential.txt
gpg -–sign –-local-user sender@gmail.com --output signed.pgp confidential.pgp
# Recipient
gpg --decrypt –output confidential.pgp signed.pgp
gpg --decrypt –output confidential.txt confidential.gpg
It works, but is this the correct way to encrypt, sign and decrypt a file if the signature verification has to be made mandatory at the recipient end? Especially, decrypting twice seems a bit odd. Can this be done in a single command?
I tried using --sign
directly in the encryption command, but it just warns and decrypts the file which doesn't satisfy the mandatory signing requirement. Here is the official manual, but it doesn't talk about doing everything in a single step.
# Sender
gpg -–sign –-local-user sender@gmail.com --encrypt --recipient recipient@gmail.com --output signed.pgp confidential.txt
# Recipient
gpg --decrypt –output confidential.txt signed.pgp
Update 1
After some research, I found a very related question which seems to indicate that gnupg --sign --encrypt
first signs and then encrypts
a document. So we will have to decrypt
it first anyway to see the document. It can optionally output the status using --status-fd
which can be used to check if the signature is fine using a simple script. So the code would look like:
# Sender
gpg -–sign –-local-user sender@gmail.com --encrypt --recipient recipient@gmail.com --output signed.pgp confidential.txt
# Recipient
gpg --decrypt --status-fd –output confidential.txt signed.pgp | verify
where verify
is a shell script that checks the status registers and aborts if required.