How to digitally sign an e-mail

Written by Eric Bright

Last update on August 29, 2013

2nd updated on August 25, 2011

First published on Feb 3, 2009


[UPDATE: This solution would not work with Gmail any longer, because the Firefox add-on that I was using at the time is not supported any more. Read the instructions for the updated method of signing your email here.]

Requirements:

  • Operating systems: Win XP, Vista, or 7
  • Softwares: GnuPG, Firefox, FireGPG (it’s a Firefox add-on), GPGshell
  • A gmail account
  • Enough time
  1. Go to Tools > Add-ons > Get add-ons
  2. Search this: FireGPG [UPDATE: this extension is discontinued. It will not work with Gmail any more because the Gmail support is removed from the extension. Here is the blog-post explaining the discontinuation.]
  3. When the add-on is found, install it [UPDATE: the add-on (or extension) is not available on Firefox Add-on web site any more. You can get it from here though.]
  4. Download GnuPG from here
  5. Install what you have downloaded (the package contains GnuPG: 2.0.17 and several other applications. You only need GnuPG)
  6. Restart your Firefox
  7. Go to Tools > Add-ons > Extensions
  8. Browse down to find FireGPG and then click on Options
  9. You will probably get the following message: Error : FireGPG is unable to access the gpg executable. Make sure GPG is installed or specify the path in the preferences.
  10. Click on Ok
  11. Go to the GPG tab
  12. Put a check mark next to Specify the path of GPG
  13. Click on the Browse button and browse to the folder you just installed your GPG into. It is usually in the following location by default: C:\Program files\GNU\GnuPG\gpg.exe  (note: in a 64bit Windows, it would be installed in C:\Program Files (x86)\GNU\GnuPG\gpg.exe) Select it and press Open
  14. Now you are back to the FireGPG Preferences dialog box. Click on Ok
  15. Close Add-ons
  16. Now you need to make secure keys to sign your e-mails so NO one can forge your emails any more. Here is how to make new keys and how to use them:
  17. Download this GPGshell from here: http://www.jumaros.de/rsoft/index.html
  18. Now you should have a file with this name gpgsh377.zip on your desktop (or wherever the downloaded file is put automatically.) Unzip and install GPGshell
  19. When you are asked if you “want to use blah blah blah for the GPGshell-HomeDir” say Yes
  20. Now you need to set-up your computer’s Environmental Variables’ PATH. To do so, Right-click on My Computer (or on Computer if you use Vista) and select Properties
  21. Click on the Advanced tab (“Advanced System Settings” and then “Advanced” tab under Windows 7)
  22. Click on the Environmental Variables
  23. Then browse down in the System Variables list-box and find PATH
  24. Press the Edit button
  25. In the Variable Value field, add the following C:\program files\GUN\GnuPG and make sure that it is separated from the next entry by a semicolon (or if you added it to the end of the string, it should be separated from the last item by a semicolon that looks like. (Note: it would be C:\Program Files (x86)\GNU\GnuPG if you are using a 64 bit system)
  26. Press Ok, three times I guess
  27. If you are on a Win XP machine, you need to restart now for the changes to take effect. Vista/Win7 does not need a restart
  28. Now, open Start > GPGshell > GPGkeys
  29. It’s the first time you are running this application, so you might not have a pair of keys. Then the program asks you to “create your own key now”. Say Yes
  30. GPGkeys’ Key Generation dialogue box will open up. In the User ID section, fill in the Name, Comment, and your E-mail that you are going to use. Example: Name: Andi Ramfield Comment: My first key ring E-mail: [email protected]
  31. Now click on the Generate button
  32. A command-line window pups up. After it finishes its work, you will get a dialog box asking you to protect your key by a passphrase. Click on Yes
  33. A new command-line window comes up again. Now enter your passphraes (like a password, but can be much longer). Example: AnDi-RaMfIeLd-7531. You should repeat it one more time to confirm the passphrase
  34. Now the GPGkeys main window comes up. You are done with making a pair of Public key and Private key. You keep the Private key in a safe, and give the Public key to others. You should send me one copy of the Public key that you just created. To do that, in the GPGkey window, right-click on the key you just created. Then select Export. Put it on your desktop. The key that you export has to have pub.asc at the end of its name. That means that it is a public key, not your private key
  35. Now log-in into your Gmail e-mail account (or Yahoo or Hotmail or whatever). Go to Compose Mail and write something
  36. Select the text you wrote
  37. You will see several buttons added to your tool-bar. One is Clear sign. Click on that button while the text in the compose area is still selected
  38. FireGPG -private key window will pop up. Select the key you created and click on Ok
  39. You will be asked to enter your passphrase. Enter it and bang! You have your text digitally signed
  40. But for me to be able to verify your signature, you should attach your public key that you Exported on your desktop. So attach it to the email that you signed (you need to do it once and I will have it on my computer for as long as it is not expired)
  41. Ok! Now, you signed the text, and attached your public key. When I get your e-mail, I download your attached public key too, install it on my computer, and will be able to Verify your signature later

That’s it!

The good thing is that I can send you Encrypted e-mails as long as I have your un-expired public key and no one on earth, not even me, can open it [possibly for a long time]. To open it, one has to have your Private key. The Firefox’s add-on, i.e. FireGPG, will decrypt the received encrypted text if it still has your Private key.

Once you have installed those programs on your system, i.e Firefox, FireGPG, GPG (GnuPG), GPGshell, and opened your e-mail account in Gmail, then you will also be able to use my public key (might be attached to one of my e-mails to you, who knows!) to encrypt my messages for you if you want me to. You still can sign and send me your e-mail using your own Private key (given that you have already given me your Public key). But, if you encrypt your e-mail using your own Private key, I will not be able to open it.

:)

6 thoughts on “How to digitally sign an e-mail”

  1. but i am not getting any kind of mime attachment after signing email as per your above steps.. :(

    and can u plz suggest any link to verify signature either by using thunderbird or any other way. or plz elaborate it in form of steps.

  2. can u plz help me out in finding what are the signs we get wen particular mail is digitally signed?? also m not getting how to verify the sign on receiver end..

    1. Hi. If we use on-line services to visit our inbox, we usually do not see the signs of a digital signature being presented properly. For example, when I send a digitally signed e-mail to myself and go on-line to my inbox, use the server-side e-mail clients like Gmail or Yahoo, I usually see only an attachment with an extension like MIME that cannot be opened with my browser. Usually that would be the only sign of a digital signature. However, seeing an attachment with .mime extension does not necessarily mean that the e-mail is digitally sign, nor does it mean that if it is signed the signature is valid. But Gmail and Yahoo both provide access for client-side e-mail client as well. That is what we usually need. It is possible to install a few add-on in Firefox, the web-browser itself to make it capable to verify such signature, but the process is not an easy one and needs lots of attention to details. The client-side e-mail clients, like Thunderbird, come equipped with the necessary tools for that job.

      When we have that application installed, we also need to have the public part of our friends’ signatures in order to verify their signature against their own public key. Otherwise how are we going to decide if it was them who actually signed the e-mail? That is when we have to ask them to send us their public key, then we have to install their public key in out system (that can be automatically handled by our system if the public key is in the right format), and then use our, say, Thunderbird to fetch our friends’ e-mails off, say, the Gmail servers. Upon the reception of the e-mails, Thunderbird will automatically test the attachment of a digitally signed e-mail against the repository of public keys it has access to and will find the right public key and verifies if the signature is signed matched the criteria it should meet (it is more complicated than comparing to versions of the same signature to see if them look alike. Public key do not look like the private keys and digitally signed document does not have any particular feature to look like anything we have on our system. The verification test is done through complex cryptographic algorithms).

      The receiver also needs to have similar applications installed on his or her machine. It could be an armed Firefox or it could be a client-side e-mail client. Again, the receiver has to have your public key to be able to verify your digital signature.

      When the applications and settings are right, when you receive a digitally signed e-mail for which you have the public key of the sender, the application you are using, say Thunderbird, will show you icons with a green check mark or some other icons signifying that the signature is verified, it is done by who gave you such and such public key, and it is valid. Other e-mail clients will give you other signs, usually in the form of either a text saying so, or an icon that is supposed to tell you about the validity of the digital signature.

      I hope this gave you some hints, at least.

      :)

  3. you really shouldn’t say “The good thing is that I can send you Encrypted e-mails as long as I have your un-expired public key and no one on earth, not even me, can open it. To open it, one has to have your Private key”

    nothing is completely hack proof indefinitely…

    maybe rather ‘next to impossible for anyone on earth to……”

    eh?

    -zao-

Leave a Reply

Your email address will not be published. Required fields are marked *