Secrets

My Public Key

In 8th grade I finished an exam early and popped open a notebook to doodle. Pointillism? No. Surrealism? Also no. Just hundreds of signatures in pursuit of a doctor-like scribble. Eventually, after more free time in class, I came up with a scribble worth sharing. I sharpied about 20 on a nice piece of cardstock and scanned it. I vectorized my favorite signature and that was virtually pasted on thousands of documents since.

The process of stamping my signature virtually felt right, correct, … legal … maybe? If the United States Constitution counts because some guys scribbled on it, why would mine be different? I was living in blissful ignorance thinking Adobe electronic signatures and DocuSign “sign all” fields were built for me. But what happens in a dispute? (Contrived example incoming!) Does my corporate landlord care about an addendum I signed if it only benefits me? If I take a document to court, who decides if the “signature” was real? Does a DocuSign representative show up to small claims court? This whole process sounds expensive and/or time consuming and certainly stress inducing.

I like to think that the solution to this problem lies on a continuum from simple and insecure to complex and secure. However, another dimension that is particulary important to me is independence. Due to a combination of negligence by large companies and enterprising hackers, I have a constant subscription to “free” credit “monitoring” services as an apology from Experian and the University of California. I don’t trust these companies to hold a key to my identity. DocuSign has already been hacked, I dread the day hackers actually (if they haven’t already) gain access to the trove of valuable documents that they hold. Fortunately, for me, these hacks have only resulted in more calls warning me about me about my car’s waranty.

Bring On Pretty Good Protection

I’ve neglected this for too long because it is complicated. My distaste for an external solution finally beat out the convenience of dragging the same signature onto countless documents. The goal is to “sign” a document and be able to prove that I did. A side benefit here is that you can send encrypted (private) files to others using a similar process.

You can get a general idea of the process from many articles online so I’m only going to share my workflow. Additionally, I’m not going to try and explain the amazing mathematics behind cryptography and instead recommend Computerfile for a great explanation:

Create Your Keys

I’m assuming gpg is installed (if you’re on a UNIX machine)

  1. Generate your keys. Use a good passphrase! [1][2]
gpg --full-generate-key
  1. Check your keys.
gpg --list-keys
  1. Generate subkeys. A good practice is to use your base key to generate another set of subkeys and use those. This adds a layer of security in case your subkeys are compromised.
gpg --edit-key <your base key id> addkey
  1. Back your keys up to external storage. Put these files on a flash drive and keep good care of it. You can also put these on a piece of paper or etched into some stainless steel for a long term archive.
gpg --export-options backup --export-secret-keys <key id> > private.gpg
gpg --export-options backup --export <key id> > public.gpg
  1. Upload your public key to a keyserver so others can verify you. Here’s me!
gpg --send-keys <key id>

Use Your Keys

  1. If you need your keys from your flash drive, you’ll need to import them.
gpg --import-options restore --import private.gpg
gpg --import-options restore --import public.gpg
  1. Sign your file! I use Okular to add some text in the pdf that says “Signed electronically using GPG: Jason Dekarske ~date~”. Honestly, this is enough to satisfy anyone looking at your document, but I wrote this whole thing so please go on to the next step.

  2. Actually sign your file! There are different options depending on the file you want to sign. PDFs include binary data that is jumbled if you clear sign a file, that is, the signature is embedded in the file. This is possible, since this is essentially how Adobe Acrobat does it. But to ensure compatibility, you should detach sign the file. This gives you a .sig file which can be used with a public key and original file to verify that you did sign it!

gpg --sign --detach-sign  really-important-contract.pdf
  1. Validate a signed file with detached signature. You’ll first need to import the person’s public key into your keyring.
gpg --verify really-important-contract.pdf.sig 

gpg: assuming signed data in 'really-important-contract.pdf'
gpg: Good signature from "Jason Dekarske <dekarskej@gmail.com>" [ultimate]

What if?

This isn’t a perfect solution for the same reason many other mathematically sound systems (cryptocurrency) aren’t perfect in practice. People make mistakes. If I lose my keys, its my fault. If I share my private key instead of my public key, its my fault. I’m willing to take measures to reduce these risks, but I understand that the extra work is just not worth it for most. My hope is that as society gains more technological literacy, more people are conscious of their own online identities and security.