Quote from: BudMaster on May 11, 2013, 02:28 amHey pine im seeing if i can send messages too, here is a message to you using your public key.Also I have a question. When you sign a message does it give the person your sending the message to your public key? Or what does it do when you sign it?I think I replied earlier: on your question, The answer is no. Signing a message does not give the other person your public key. That you need to send to them explicitly, it cannot without a search be derived from a signature. However, it can give the other person (and any other person that intercepts it if the signed message isn't also encrypted) some information:1. The date of the signing.2. The GPG key ID that signed the message. (could be used to find your public key on the forums, but this is not easy without automation)3. Your GPG fingerprint.It IDs you as the person who sent the message. Signatures are used to ID people's identities, but here on SR we just use them to verify the person we were speaking to yesterday is the person we're talking to today, persistent pseudonymity you could say.In general signed messaging shouldn't be used, since if you were captured by the enemy they could prove you sent a message containing your address to a vendor if you signed it for example. However it is useful for proving you're not an imposter. There was a person pretending to be me on this forum for example, but I was able to prove with a PGP signature that I was the real Pine. There is only one Pine :-)As for what a signature actually is, this is interesting. Your private key is used to decrypt information encrypted with your public key. However your private key can also be used to sign documents. A signature is a combination of a hash of your message and the private key signature. This both verifies that you are the sender of the message and it also makes it impossible to tamper with the contents of the message e.g. changing $7000 to $70000 shall cause the PGP message verification to fail. See here for more information: http://www.pgpi.org/doc/pgpintro/#p12Never ever sign a public key globally. This is NOT the same thing as putting a public key in a PGP message and then signing that PGP message, which is actually a good idea in some circumstances. It is a separate concept. This is the default in most GPG programs unfortunately. The reasons are beyond this post but don't do it. It is usually a relatively obscure option within GPG programs anyway, you won't come across it unless you search it out. Signing a public key is an act you should only do locally and if you're completely confident it is being signed locally. Search my posts if you want to know why. This is a terribly confusing aspect of GPG unfortunately.HTHPine