I use GPG to sign my outgoing emails. I understand how it works when I encrypt m
ID: 655754 • Letter: I
Question
I use GPG to sign my outgoing emails.
I understand how it works when I encrypt mail to send to someone else. Then I need his/her public key, encrypt it with that, and only he can decrypt it using his private key.
What I understand from signing my outgoing mail, I use my private key to do this. The receiver doesn't need to use GPG (to read the mail), and I don't need their public key. I suppose my public key is used by the receiver to check if the signature is legit, but maybe I misunderstand.
How can they use my public key to verify that my signature is valid?
Explanation / Answer
Signing data is to prove to someone else that it originated from you. By signing with your private key (that only you have) you ensure that anyone with your public key can verify the message. You don't use their public key, but they have yours.
The signature itself is a cryptographic hash of the entire message that is signed with your private key. Any change to the message would generate an incorrect hash. Since the sender should be the only one with the private key anyone in the middle of communication should not be able to reproduce that signature. The receiver uses calculates their own hash, then compares it to the one that was signed.
This is secure because if the message was altered and signed with a different private key the receiver would still be attempting to use the original sender's public key to decrypt. This would generate an incorrect value and the message would not be verified.