-
Notifications
You must be signed in to change notification settings - Fork 20
SigningFiles
JPGPJ will automatically sign messages when encrypting, signing each message with each secret key on the Encryptor object's key ring (for secret keys that have a passphrase set) -- see EncryptingFiles for basic encryption and signing usage.
When encrypting a message, an Encryptor will sign the message content with each key on its ring that has a subkey with the forSigning flag set to true (and its passphrase supplied), and encrypt the message for each key on its ring that has a subkey with the forEncryption flag set to true. By default, all the secret keys on the Encrytor object's ring are flagged as both forSigning and forEncryption, and all the public keys on the Encryptor object's ring are flagged as forEncryption.
To avoid encrypting a message entirely (so as to sign it only), set the Encryptor object's encryptionAlgorithm property to Unencrypted:
Encryptor encryptor = new Encryptor(
new Key(new File("/path/to/alice-sec.gpg"), "password123"),
new Key(new File("/path/to/bob-sec.gpg"), "b0bru1z!")
);
encryptor.setEncryptionAlgorithm(EncryptionAlgorithm.Unencrypted);
encryptor.encrypt(
new File("path/to/plaintext.txt"),
new File("path/to/ciphertext.txt.gpg")
);This is equivalent to the following GnuPG command:
gpg --sign --local-user alice --local-user bob \
--output path/to/ciphertext.txt.gpg path/to/plaintext.txtTo encrypt a message with just a subset of the keys on a ring, you must explicitly turn off the forEncryption flags of the keys for which you dont want to encrypt. A convenient way to do this is load keys that you only want to sign with via the KeyForSigning` class -- this will ensure that the loaded key is used only for signing, and not for encryption:
Encryptor encryptor = new Encryptor(
new KeyForSigning(new File("/path/to/alice-sec.gpg"), "password123"),
new KeyForEncryption(new File("/path/to/bob-pub.gpg"))
).encrypt(
new File("path/to/plaintext.txt"),
new File("path/to/ciphertext.txt.gpg")
);Alternately, you can loop through all the subkeys on a ring and manipulate their forEncryption flag individually:
Encryptor encryptor = new Encryptor(
new Key(new File("/path/to/alice-sec.gpg"), "password123"),
new Key(new File("/path/to/bob-pub.gpg"))
);
for (Key key: encryptor.getRing().findAll("alice"))
for (Subkey subkey: key.getSubkeys())
subkey.setForEncryption(false);
encryptor.encrypt(
new File("path/to/plaintext.txt"),
new File("path/to/ciphertext.txt.gpg")
);In the above example, we load Alice's secret key and Bob's public key, and then turn off the forEncryption flag on Alice's subkeys -- so the file will be signed by Alice, but encrypted only for Bob. This is equivalent to the following GnuPG command:
gpg --sign --encrypt --local-user alice --recipient bob \
--output path/to/ciphertext.txt.gpg path/to/plaintext.txtSee KeyRings#Setting Usage Flags for further details on subkey usage flags.
JPGPJ does not support detached signatures (signed messages that do not embed the signed content within the message itself).
JPGPJ does not support clear signing (a simplified sign-only message format, particularly useful for email).
By default JPGPJ will sign messages using the SHA256 hashing algorithm. You can configure this via the signingAlgorithm property of an Encryptor, like so:
encryptor.setSigningAlgorithm(HashingAlgorithm.SHA1);You can use any of the hash algorithms specified in RFC 4880:
- Unsigned
- MD5
- SHA1
- RIPEMD160
- SHA256
- SHA384
- SHA512
- SHA224