GPG Walk Through Noobs - Ubuntu Containers: Difference between revisions

Latest revision as of 21:28, 9 July 2025

Going to learn the basics of GPG in a quick walk through

IMPORTANT NOTE: In the LXC Containers sudo is required - not 100% sure why - is not required when using on normal host (not container)

Step one creating conatiners and logging in

Create 2 ubuntu 24.04 containers foo and bar

lxc launch ubuntu:24.04 foo
lxc exec foo bash
su - ubuntu

lxc launch ubuntu:24.04 bar
lxc exec bar bash
su - ubuntu

and have 2 terminals open logged into both as user ubuntu

Step 2 - update container and install GPG

Update and install gnupg2 in both containers

gnupg2 installs the `gnupg` package, which includes the `gpg` command.

sudo apt update && sudo apt upgrade -y && sudo apt install gnupg2 -y

Verify installation

gpg --version

Step 3 - Creating KeyPairs

IMPORTANT NOTE: In the LXC Containers sudo is required - not 100% sure why - is not required when using on normal host (not container)

Create Key Pair for Container Foo

Generate new GPG key pair

sudo gpg --full-generate-key

Follow prompts:

Choose key type: (9) ECC (default)
Key size: 1024 to 4096 bits ( 3072 default)
Key expiration: 0 = key does not expire
Real name: foo
Email: foo@foo.com
Comment: i am foo
Passphrase: choose a secure passphrase

sudo gpg --full-generate-key OutPut:

ubuntu@foo:~$ sudo gpg --full-generate-key
gpg (GnuPG) 2.4.4; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (14) Existing key from card
Your selection? 
Please select which elliptic curve you want:
   (1) Curve 25519 *default*
   (4) NIST P-384
   (6) Brainpool P-256
Your selection? 
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: foo
Email address: foo@foo.com
Comment: i am foo
You selected this USER-ID:
    "foo (i am foo) <foo@foo.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/107B0222408951691EF6C91B4D9C986B00A60CFE.rev'
public and secret key created and signed.

pub   ed25519 2025-07-08 [SC]
      107B0222408951691EF6C91B4D9C986B00A60CFE
uid                      foo (i am foo) <foo@foo.com>
sub   cv25519 2025-07-08 [E]

Create Key Pair for Container Bar

Generate new GPG key pair

sudo gpg --full-generate-key

Follow prompts:

Choose key type: (1) RSA
Key size: 1024 to 4096 bits ( 3072 default)
Key expiration: 0 = key does not expire
Real name: bar
Email: bar@bar.com
Comment: i am bar
Passphrase: choose a secure passphrase

sudo gpg --full-generate-key:

ubuntu@bar:~$ sudo gpg --full-generate-key
gpg (GnuPG) 2.4.4; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 
Requested keysize is 3072 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: bar
Email address: bar@bar.com
Comment: i am bar
You selected this USER-ID:
    "bar (i am bar) <bar@bar.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/56107DF2FB1A226BDFED3CC362C74C327D5EB42B.rev'
public and secret key created and signed.

pub   rsa3072 2025-07-09 [SC]
      56107DF2FB1A226BDFED3CC362C74C327D5EB42B
uid                      bar (i am bar) <bar@bar.com>
sub   rsa3072 2025-07-09 [E]

Exchanging Keys

List Keys

sudo gpg --list-keys

ubuntu@bar:~$ sudo gpg --list-keys
/root/.gnupg/pubring.kbx
------------------------
pub   rsa3072 2025-07-09 [SC]
      56107DF2FB1A226BDFED3CC362C74C327D5EB42B
uid           [ultimate] bar (i am bar) <bar@bar.com>
sub   rsa3072 2025-07-09 [E]

Export Public Key

Container Bar

sudo gpg --armor --export bar@bar.com > me_bar_pub_key.asc

cat me_bar_pub_key.asc output:

ubuntu@bar:~$ cat me_bar_pub_key.asc 
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGhutlMBDACZEFt39BkE9ECxJ9mGhDE/kqylsuO8+gPFDe+0uQfjBjS+wMnt
eMTloQ239/xpMvGhftTRu7jZoHCKlK/EhTQKsOYTHTwJhI8z/UC558Dze2PWmSkf
wd86aZBaaZtktsmv+0iGJsXUiw+gb46tg79yHKQ9ZLayB3e5Ecv/HhZ1Xq0ALpQH
1lfEMEfxVeHYf7leFb1QyDbuwPXEMSejUFUY324GigNorZJn7CkbFgooGQl/nZ/S
F08Eu2n4NoZvN5+/IMQw9jz9II+bpuu8mwY1oFLdnzYdnbom3he/1FPsMKXyx7l/
ribk1z/EHRqyS+K/88Hn9sfafICIFWKrd5N8377nmkrZ+hQ/0G0zOxbi8DHSWSGs
+1+cIkafqq7wgGdXaOwoscg8m+/vC1KwozMUjO+rtheKm4xqUHwu/mBU1h5lLxL4
uL1HSEZIhM0KC6DgCQlzTQvvijx86v7QDi3YSp+5MxOJ9y9VuRuvAghhtu83Q+J4
82Qn3Ds9S9xefTMAEQEAAbQcYmFyIChpIGFtIGJhcikgPGJhckBiYXIuY29tPokB
0QQTAQoAOxYhBFYQffL7GiJr3+08w2LHTDJ9XrQrBQJobrZTAhsDBQsJCAcCAiIC
BhUKCQgLAgQWAgMBAh4HAheAAAoJEGLHTDJ9XrQrkLMMAJUsj35tfwPoWcsoHaEM
irrLbHhqC+C39zr6Msuh3OZQ/jaZJqqB8lgqiWweDMB80U0fG1eb6e2hmKwWDxvc
Ium6KJMcFVGrZt7sRrxYF2o5jtpEWqsasXWHn0PO0pu4N7guJQ+q7HVdpygBiEQ7
cm4DI01L+KCbZjFvrlNvdVKV6lhHUN3wi45wqr1GdEE3ssUImXQk33zeWy9dOotT
BCsNLCP6vA/97J8GB9gH6wTBt20+zN2mKuG73x/myB2TvWaxoOBKjWSWJhemJ6ER
1ORzp5ill2K23FSbUJWSWf6q5Vnz0x0PGgTkXzcYM/kZlTDKN/VBEjGj8GS5MWDS
SS2J4qYCv1kdDQItDDB32ibUQR/Mgha6yGcYG+0w2gPfSpHCQm1teAnq59zqNiif
WzMOM08zinyI0VbgTo6uuBMhitxQ2xNYPD5JAuQ3M77DY5tIk+Pje15pCT2TxqxK
DKoMF8YoRbb+1095a7g+rP3Nbx8kTDjjDVmnfKEIwoegerkBjQRobrZTAQwA5Xq1
a/1SOTg6Ybak5lTbsude+AVdhca4Obl1NIhHwX7LWRCfaHuMiEccqDvGrSSbeFoc
SDlCqwR+lg83HaEU+mVZVOIdb8XXPFcRAfzxBHT0Z0Fa/cFOni9DjftV0U5xpLPZ
CAvAFgEYJWnA6zyj0wmTyb9gSo4ejW1Q8S4daBvKi5Ai68hYdGr86k5Rc16KkDAP
enVdPReW8bgEWlB3ui09kCVPrW51KZoBO9sdnZMjE3HVoU0B5pr+O0My35jasLw9
zIcYMxR9X9KwcKL3jB4iSZ+g8JQSZ2LeBf1PX9hfHpVbjfWlbrzdwtD+T/pkHO5B
n29r5/6cJfGXJgR5VQ7XOxH6GO9I55aUGaTUSDPr+SLumJY91mVPpvxKW64+mTzt
U/LfZIbLl76mIs/R1mrG4Sk3/x7KPwoZbvOZn+TFCcAPbtKpvBMCIhWDCXTUD6lm
YIgCho8f7CpBXa/M+5EOjIR7OkaCgUqunC0y14BjKwfSHOtpqDg3QCJ6JZNLABEB
AAGJAbYEGAEKACAWIQRWEH3y+xoia9/tPMNix0wyfV60KwUCaG62UwIbDAAKCRBi
x0wyfV60K0LQC/9NBGhAGk5U7rQGs4cCSho10mWAuR2JSWrxDsXrz5MXEDtUjIrl
rEQd/jcRwIdXUeTL5VIQc6vjnsbRE11DKUIpSAT4RJ53vE6qPPNBUqb/IeWcvXye
LuO5SsABo0Jeg4pFIMLKpyJbucze/mW8OmJRkaSdjIOzvGdeDFfpoyNRS1y0ml+L
mUV7LmCjWX3evS3VYxuCPnFh9ws0CP+Bqhd1M4XdNvQ+UOlRjLpOgF+sok55uoX2
qmpbaEdbhsfzJoU+fkmuX1gVNU1tp6AHrNsRE8s1cbUWFF7otC7lZX7XmmnVWlMT
ebuEdsaaVd37kh3GEgwk7DBkeAfKaPTKBqd0yXvspM6rTiO/HX0/A7qQbAvmKrlT
s9FmsOHDeIIHJM9LyGHKI5n9w5WzoW4n1IyJAuLibr4PlTv0Ck5Uomj2n9V8mJyC
9DtMDbPIqaolLRKmYxFWJmAYNGVJKC2cgmTs9/f9PTBp7XOlL6PUuJnkju5k7ZSr
fDRVOWaor6+4jz0=
=sRdV
-----END PGP PUBLIC KEY BLOCK-----

Container Foo

sudo gpg --armor --export foo@foo.com > me_foo_pub_key.asc

cat me_foo_pub_key.asc output:

ubuntu@foo:~$ cat me_foo_pub_key.asc 
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEaGzhvxYJKwYBBAHaRw8BAQdAreSi7V/fTPbOtIDqPfqcp8gCUA7kxJ45s+yP
7GlrsU20HGZvbyAoaSBhbSBmb28pIDxmb29AZm9vLmNvbT6IkwQTFgoAOxYhBBB7
AiJAiVFpHvbJG02cmGsApgz+BQJobOG/AhsDBQsJCAcCAiICBhUKCQgLAgQWAgMB
Ah4HAheAAAoJEE2cmGsApgz+0EwBAPQEdUfNPZsSg3z5IWzKi3Z6eZXPk2Jz5mdn
/T7RcL5XAPwPfPCPyVjxu6MJ+5ptRtXXe0Qruchbkn09bY/G+HIvCrg4BGhs4b8S
CisGAQQBl1UBBQEBB0C7bpVfaiEpBLBrtL4flajkeYP8RppnrU8/PYy4Y5STLgMB
CAeIeAQYFgoAIBYhBBB7AiJAiVFpHvbJG02cmGsApgz+BQJobOG/AhsMAAoJEE2c
mGsApgz+BLMA+wVv5cYQbz3e7cKOARYXQ0nfzYVBcdo690ehVXixRWZ3AQDbYe3X
atp32bolscNX8YBRO47eMuDONZ3mVikRjH7VBQ==
=aMeG
-----END PGP PUBLIC KEY BLOCK-----

Import Public Key

Swap Key Pairs in LXC - copy nad paste OR push and pull :

Option 1 - Copy and Paste

cat me_foo_pub_key.asc
Copy content and paste in a file in bar container bar-pub.asc and vice versa.

Note: file containing pub key can be called anything, does not require extension .asc as long as you know what it is

Option 2 - Push and Pull

Optional: Create a Dir for the swap on host:

noob@noob-ThinkPad-T470:~$ mkdir keyswap
noob@noob-ThinkPad-T470:~$ cd keyswap/
noob@noob-ThinkPad-T470:~/keyswap$ lxc file pull bar/home/ubuntu/me_bar_pub_key.asc .
noob@noob-ThinkPad-T470:~/keyswap$ lxc file pull foo/home/ubuntu/me_foo_pub_key.asc .
noob@noob-ThinkPad-T470:~/keyswap$ ls
me_bar_pub_key.asc  me_foo_pub_key.asc
noob@noob-ThinkPad-T470:~/keyswap$ lxc file push me_bar_pub_key.asc foo/home/ubuntu/
noob@noob-ThinkPad-T470:~/keyswap$ lxc file push me_foo_pub_key.asc bar/home/ubuntu/

In Container Foo we are going to Import the Public Key for Bar

sudo gpg --import me_bar_pub_key.asc

OutPut:

ubuntu@foo:~$ sudo gpg --import me_bar_pub_key.asc 
gpg: key 62C74C327D5EB42B: public key "bar (i am bar) <bar@bar.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Verify import

sudo gpg --list-keys
OutPut:

ubuntu@foo:~$ sudo gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
/root/.gnupg/pubring.kbx
------------------------
pub   ed25519 2025-07-08 [SC]
      107B0222408951691EF6C91B4D9C986B00A60CFE
uid           [ultimate] foo (i am foo) <foo@foo.com>
sub   cv25519 2025-07-08 [E]

pub   rsa3072 2025-07-09 [SC]
      56107DF2FB1A226BDFED3CC362C74C327D5EB42B
uid           [ unknown] bar (i am bar) <bar@bar.com>
sub   rsa3072 2025-07-09 [E]

Do the same for other container - vice versa

Trust Level for Imported Key

Just do this on one container for now -

In container Foo

Edit Bar's key to set trust

sudo gpg --edit-key bar@bar.com

At gpg prompt, type:

trust

Choose option 5 (ultimate trust)

quit

Example of not trusting a public key:

Bar did not place/mark Foo's public key as trusted - and was prompted if sure when encrypting to that recipients public key.

ubuntu@bar:~$ sudo gpg --armor --encrypt --recipient foo@foo.com test.txt
gpg: 50307AF320586962: There is no assurance this key belongs to the named user

sub  cv25519/50307AF320586962 2025-07-08 foo (i am foo) <foo@foo.com>
 Primary key fingerprint: 107B 0222 4089 5169 1EF6  C91B 4D9C 986B 00A6 0CFE
      Subkey fingerprint: 4A5D 347A EA1A 88D6 A69C  51CA 5030 7AF3 2058 6962

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y

Encrypt file from Foo to Bar

Create super secret file:

echo "This is a secret message from Foo to Bar!" > secret.txt

Encrypt for Bar

sudo gpg --armor --encrypt --recipient bar@bar.com secret.txt

This creates a file encrypted to bar's public key with an .asc extension.

secret.txt.asc

Send this file to Bar

File Contents:

ubuntu@foo:~$ cat secret.txt.asc 
-----BEGIN PGP MESSAGE-----

hQGMA44ulauDXPBRAQwA23c4BIk9J3CgLno+/M0y15394m6nfqCXDZ272LsaBEcR
xnbOvJFGdDpqPKVphU/2T4hJ2INqq6f47jZt3xinADPIcLD4r6uIhAeRAIEGUFcq
MkfeBuFTlMNDgS8e+B3HSEu58UyBSHxLfGzQF2Y/msG4GV3Em7/C32qEaXlw+5J3
GbYM6xFcR0kKM3rjGQyPPHUTiipR1THHW8C5uUbiywtZqYXBHfj4ahd5iazyBW8f
2Q+abJR987KlEYhcabEvbem/vYjSQIqspXOLgAR+KmSO0w9epbCAkSuwAtHePMT9
QFSBP73+CH9wvdA70EA6mzXY1rer5sDSefMd6w1i95/jxxwQ0jKBS4oJjuzH+L7C
P0Io6iUrKsZ+KOVPSW2+gTQaOpg/N0TGK9SyMVSWnrvqKO+joMkfMmSt/i166UXW
/PQfn8l4ToUflplzHAmdVQ138XJaaEH9Ul6pUEKrsIZ38Vh/AysXpxukDW3JJAUa
qDneeJy0xXSY+CIffcro1HMBCQIQvXTlUw1MexSnpGCbr2y6e/ymT6u3MaZ8lO/T
tCpmKzItlOSLRmbpCNfIEInbNJ94oPCNWLue/tJKsHJvCW9nK9Aq2qDN27o6pUGy
c2wRHN+nOJIYcAcGIsNAogsQVHmLFUm9L3eaA/LZsLsRAic7
=Vdc9
-----END PGP MESSAGE-----

Decrypting file

In container Bar

sudo gpg --decrypt secret.txt.asc > decrypted_secret.txt
Will Be Prompted for your Passphase:
cat decrypted_secret.txt

This is a secret message from Foo to Bar!

Encryption Image

Encrypting a image is the same as encrypting a file

sudo gpg --armor --encrypt --recipient bar@bar.com test_image.jpg

Will end up with a file with the .asc extension test_image.jpg.asc

Decrypt Image

sudo gpg --decrypt test_image.jpg.asc > decrypted_image.jpg

Encryption Directory

To Encrypt a Directory just Archive the Directory and encrypt that

tar -czf secret_folder.tar.gz secret_folder/

And Encrypt the Archive

sudo gpg --armor --encrypt --recipient bar@bar.com secret_folder.tar.gz

secret_folder.tar.gz.asc now encrypted and safe to send over network.

Decrypt Directory

Decrypt the archive

sudo gpg --decrypt secret_folder.tar.gz.asc > decrypted_folder.tar.gz

Extract the archive

tar -xzf decrypted_folder.tar.gz

Symmetric Encryption (Password-based)

Will be prompted to enter PassPhase (this is gonna be the password required to decrypt)

sudo gpg --armor --symmetric msg.txt

A file with .asc entension will be created.

msg.txt.asc

Decrypt Symmetric Encryption

Will be prompted for password

sudo sudo gpg --decrypt msg.txt.asc

The above command will print text file content on terminal, if you want decrypted content stored to file, then:

sudo sudo gpg --decrypt msg.txt.asc > decrypted-file.txt

Signing and Verifying Files

IMPORTANT NOTE: In the LXC Containers sudo is required for signing and verifying due to the same issue as key generation (likely missing /run/user/<uid> directory). This is not typically required on a normal host.

Signing and Encrypting a File (Foo to Bar)

In container Foo, create a file to sign and encrypt:

echo "This is a signed and encrypted message from Foo to Bar!" > secret_signed.txt

Sign and encrypt the file for Bar's public key:

sudo gpg --armor --sign --encrypt --recipient bar@bar.com secret_signed.txt

This creates secret_signed.txt.asc, which is signed by Foo's private key and encrypted for Bar's public key.

cat secret_signed.txt.asc output:

ubuntu@foo:~$ cat secret_signed.txt.asc
-----BEGIN PGP MESSAGE-----

hQGMA44ulauDXPBRAQv/U/tg2p/YuYCA5KLrmRDSLEULp7P7rlQyCWSdCW3N4uL8
vZSDioA7PX/ferpIZWJgh4ulvLG0rWWRWSuzN15C8CCnaFNXd2wzMileMEey6I7b
m+kNO6z6CHWc8K+NU2tFZLr/41s71dNiq2zh9gF4D+MOeGHnVXJWOJoG8bVLI1Db
jGZiwD23rwzzJR+fuIyufO9g/dLkvBzrTbQVgo7o/BLQrzb9osfoQTOeNa+zGYGe
d4728qBmL+vx99yNqA1npw3DpwQSodbMWDTP6VINRzuKFFbNYcz6EqTAyrPInYyi
Rko3qPOAadHWeggdnDse3eKS/Kn5omt7uo5gMrl9G6uX7/xUMQ8yicv3By5RrVS1
O8/4R+ZN2Q8kpsyCRY+NiYisBx+Ekx5+EQHws5L5Ez/YR3hlJEc3hJC9/VhvcPR1
rT3RnHoGo2j+fcOLs41XPezAXSd2DtSxVl/m2O7zg4FIx2DMiVAEGCmPw6eKkDQB
Xo2SjiG5kcs0bvZTAlv71MBDAQkCEADDE0u8CdcQgc6kW/OU8/bHnws1M2qeZjPQ
5pRgWpH49BKBi4eT4TR0Iq7uMjJuInnzEO+CTims+7CC3T6kXv7GOL3EDwbQ0VjJ
mmP4VGvGYu0FaNeJOVkLrMKXepwIFaqjoYWsHDl79h0NdLTdIM6E1BGcDA+A5jJc
ydWR3TEQQE+xC/Rt2hem+OKZE5PZpvAXoIz9rVpE/SHi0+2WrHdw9YjQlcE1Tp1M
/ZFeuX14pnS0dAmpYWXdm9b1uq4aCPSbyMgAUz1NTRLRD79Ya3qL7DqeLUBUY2vN
4WVCmdV22FhbpGniGxld2zhoyjn2LMiuBPF6eUtRPnvcLt6n4Q==
=nKdq
-----END PGP MESSAGE-----

Send secret_signed.txt.asc to Bar (e.g., via lxc file push or copy-paste).

Checking the Signer (Encrypted File)

In Container Bar we did not Trust Foo's public key

Decrypt and verify the signed file:

sudo gpg --decrypt secret_signed.txt.asc > decrypted_signed.txt

GPG will decrypt the file using Bar's private key and verify the signature using Foo's public key. You will be prompted for Bar's passphrase.

sudo gpg --decrypt secret_signed.txt.asc > decrypted_signed.txt output:

ubuntu@bar:~$ sudo gpg --decrypt secret_signed.txt.asc > decrypted_signed.txt
gpg: encrypted with rsa3072 key, ID 8E2E95AB835CF051, created 2025-07-09
      "bar (i am bar) <bar@bar.com>"
gpg: Signature made Wed Jul  9 21:00:20 2025 UTC
gpg:                using EDDSA key 107B0222408951691EF6C91B4D9C986B00A60CFE
gpg: Good signature from "foo (i am foo) <foo@foo.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 107B 0222 4089 5169 1EF6  C91B 4D9C 986B 00A6 0CFE

The output shows the file was signed by foo (i am foo) <foo@foo.com>. "Good signature" confirms the signature is valid (file is authentic and unaltered).
The output shows you did not add 'foo' to trusted signers WARNING: This key is not certified with a trusted signature!
Check the decrypted content:

cat decrypted_signed.txt

This is a signed and encrypted message from Foo to Bar!

Signing Without Encryption

In container Foo, sign a file without encrypting it:

echo "This is a signed but not encrypted message from Foo!" > public_signed.txt sudo gpg --armor --sign public_signed.txt

This creates public_signed.txt.asc, signed by Foo's private key but readable by anyone.
This file public_signed.txt.asc appears as encrypted when you read content but is not - no password required to make readable.

cat public_signed.txt.asc output:

ubuntu@bar:~$ cat public_signed.txt.asc 
-----BEGIN PGP MESSAGE-----

owEBEwLs/ZANAwAKAWLHTDJ9XrQrAaxMYhFwdWJsaWNfc2lnbmVkLnR4dGhu2+RU
aGlzIGlzIGEgc2lnbmVkIGJ1dCBub3QgZW5jcnlwdGVkIG1lc3NhZ2UgZnJvbSBG
b28hCokBswQAAQoAHRYhBFYQffL7GiJr3+08w2LHTDJ9XrQrBQJobtvkAAoJEGLH
TDJ9XrQrtQIL/3xU9S/YekqNt+dx5axx8/elK7gm4CMBvrkxugILdb7H1s2XS/d1
hxBDcRf955vFhiJM3rlC1EpVLEOkrFDIEvIu0NH5A6D6TDNT6ThS+Mcch+35HtFo
dAgZv5nBia4Z9uV2PXSS3JhHxZitFmWNX/YCpPaDaMSPCGZHWSq6Li2gBZ74FvzJ
A91NVSst2cPXdHbuNyScpHl4E/FegLjQlfUwTq/oGvJ8PWW4Ny5zkzpo+QsNO7O7
DU6vcRrry66AzASanUV8NS6fAjuvxWOaRDRaIn3MctzlEXsQPa6rsS9l3/eNcXT2
qYf7xfF5bMOHk4/c2zxM1+vhooPYg5423OGprvU74T4taSaYvbEm08ul+C9L805c
Kk/Z41EDgsDfxGjwf0c3ZfdxkCdVE2xnGxhypxyHan0qTscT+kEnEd67vSGWOXJF
B2Y6JvDj6K4ToUDd27gYZtO29jyIA7Ggj+6GpmqbNYgr8nHpaR7xeixLiLz2snuu
nBrQq8ixE+Z67Q==
=I0Gt
-----END PGP MESSAGE-----

Make Signed Content Readable

This command will take the signed content and output to a readable file called decrypted-file.txt and gpg wil verify signatory.

sudo gpg --output decrypted-file.txt --decrypt public_signed.txt.asc

Note: bar imported and trusted foo's public key

ubuntu@bar:~$ sudo gpg --output decrypted-file.txt --decrypt public_signed.txt.asc 
gpg: Signature made Wed Jul  9 21:15:16 2025 UTC
gpg:                using RSA key 56107DF2FB1A226BDFED3CC362C74C327D5EB42B
gpg: Good signature from "bar (i am bar) <bar@bar.com>" [ultimate]