Signing and Authentication

Signing a file provides assurance that the file is really from you and has not been tampered with. A digital signature is an unforgeable mechanism that ensures that the file to which it is attached originates from the owner of the signature and is unchanged since it was signed. The private key from a user’s digital certificate is used to attach a digital signature. The signature is authenticated by application of the public key from the certificate.

Authentication is a separate operation from data encryption. Whereas encryption is concerned with preventing parties from accessing sensitive data (such as private medical or financial information), authentication confirms that information actually comes unchanged from the purported source.

Authenticating digitally signed data both verifies the signature and validates the signed data.

Signing Files

You sign a file, or an entire archive, by attaching a digital signature derived from a digital certificate that you own. Other people use your certificate's public key to verify that the signature is yours. You can sign files either when you add them to an archive or later.

Smartcrypt always authenticates digital signatures on files that you receive, but you must have a certificate to attach a digital signature of your own. Smartcrypt will also apply digital signatures with OpenPGP public/private key pairs.

Key Usage Flags

Certificates can be designated for special purposes. Typically, this means a certificate can be defined as for encryption only or for authentication only. If a certificate has one of these flags turned on, it is not valid for the other purpose. That is, you cannot use an signing-only certificate to encrypt files.