Basics:
- Signing is encryption with private key.
- Verification is the decryption with public key.
Signing and verifying is done with assymmetric cryptography, hence expensive. So signing the hash is much cheaper then signing the whole data.
Signing data:
- calculate hash from data
- sign hash (with private key)
- publish data + signed hash + public key
Verifying data:
- calculate hash from data
- decrypt signed hash with public key
- compare both results
# Create private/public key pair
openssl genrsa -out private_key.pem 2048
openssl rsa -in private_key.pem -pubout -outform PEM -out public_key.pem
# Create demo file
DATA=demo_data.txt
echo "demo file" > $DATA
# Sign, i.e. create digest
openssl dgst -sha256 -sign private_key.pem -out $DATA.digest $DATA
# Verify
openssl dgst -sha256 -verify public_key.pem -signature $DATA.digest $DATA