I will make a reservation right away - I am almost an amateur in matters related to electronic digital signature (EDS). Recently, driven by natural curiosity, I decided to sort this out a bit and found 100,500 articles on the Internet on the topic of obtaining digital signature certificates in various certification centers, as well as numerous instructions for using various ready-made applications for signing documents. In some places, it was mentioned in passing that an unskilled signature can be made independently if you use the services of an "experienced programmer."
I also wanted to become at least a little “experienced” and understand this kitchen from the inside. For fun, I learned how to generate PGP keys, sign documents with an unqualified signature, and verify its authenticity. Understanding that no America is open, I nevertheless offer this short tutorial for amateurs who are the same as me in matters of working with digital signatures. I tried not to delve deeply into the theory and details, but to write just a small and brief introduction to the question. For those who already work with EDS, this is unlikely to be interesting, but for beginners, for the first acquaintance - just right.
What is an electronic signature
All terms and definitions are given in the law , therefore, we will state everything, as they say, in your own words, without pretending to the absolute legal accuracy of the wording.
An electronic digital signature (EDS) is a collection of tools that makes it possible to clearly verify that the author of a document (or the performer of an action) is exactly the person who calls himself the author. In this sense, the EDS is completely analogous to the traditional signature: if the usual “paper” document indicates that its author is Ivanov, and Petrov’s signature is below, you can rightly doubt Ivanov’s authorship.
An electronic signature is simple and enhanced . A simple signature does not imply the use of standard cryptographic algorithms; all authentication methods (authorization) that were invented before the era of EDS - this is essentially a simple electronic signature. If you, for example, registered on a public services website, verified your identity by appearing in a multifunctional center, and then send appeals to various government bodies through this website, then your username and password from the public services website will be in this case your simple electronic signature.
I once met such a way of authenticating electronic documents in one organization: before sending the document, its hash was prepared ( , ). ( ) , . , : , fetch- ajax- . , : , .
. ; , , . - ( , , ), : . ; (public key), — (private key). , , .
, ( ? ) , , , . , , , . , , , .
, : , — . ( ) . , , , , - ! . ( ), , .
. , . : . ( ) . , , , , .
. (detach), . , - .
? : , . :
, , , «». , . , , . : , . , ...
. , , , ( , ). ( ), . , , (fingerprint), , , . , , , , , . , ( 40 ).
, , , — , . . : , ( ). , , .
, (, ) , . , ( ): .
, : - (, ) . , , .
, ( ) ( ). , (, ). (, ) , , .
, . , , , (public key) (private key).
. , , PGP (Pretty Good Privacy). 1991 , (, OpenPGP). 1999 GNU Privacy Guard (GnuPG, GPG). GPG ; - Windows , , gpg4win. - .
, (- , - root')
gpg --full-generate-key
:
- «RSA RSA ( )»;
- , 2048 ;
- « »;
- , , ,
- , .
GPG , . , , , GPG . , , , .
( , , , , ) :
gpg --export -a " " > public.key
gpg --export-secret-key -a " " > private.key
, private.key , public.key .
, (ASCII) :
gpg -ba __
, asc. , , privet.doc, privet.doc.asc. , , privet.sig, .
, , , :
from Tkinter import *
from tkFileDialog import *
import os, sys, tkMessageBox
def die(event):
sys.exit(0)
root = Tk()
w = root.winfo_screenwidth()//2 - 400
h = root.winfo_screenheight()//2 - 300
root.geometry("800x600+{}+{}".format(w, h))
root.title(" ")
flName = askopenfilename(title=" ?")
if flName:
os.system("gpg -ba " + flName)
button = Button(text=" ")
button.bind("<Button-1>", die)
button.pack(expand=YES, anchor=CENTER)
else:
die()
root.mainloop()
, , , ( ) , :
gpg --verify __ __
- (, ):
public.key , () , , GPG;- - , .
- ( , ) .
, OpenPGP.js; ( — 506 ) dist/lightweight/openpgp.min.js html- ( meta-):
<!DOCTYPE html>
<html>
<head><meta charset="utf-8"></head>
<body>
<label for="doc"> </label>
<input id="doc" type="file" onChange="readDoc('doc')">
<label for="sig"> </label>
<input id="sig" type="file" onChange="readDoc('sig')">
<button type="button" disabled onClick="check()"></button>
<output></output>
<script src="openpgp.min.js"></script>
<script src="validate.js"></script>
</body>
</html>
, public.key openpgp.min.js , .
validate.js:
"use strict";
let cont = {doc:'', sig:''},
flag = {doc:false, sig:false},
pubkey = '',
mess = '';
const readDoc = contKey => {
let reader = new FileReader();
reader.onload = async e => {
cont[contKey] = contKey == "sig" ?
e.target.result :
new Uint8Array(e.target.result);
flag[contKey] = true;
pubkey = await (await fetch("public.key")).text();
if (flag["doc"] && flag["sig"])
document.querySelector("button").disabled = false;
}
reader.onerror = err => alert(" ");
let fileObj = document.querySelector(`#${contKey}`).files[0];
if (contKey == "sig") reader.readAsText(fileObj);
else reader.readAsArrayBuffer(fileObj);
}
const check = async () => {
try {
const verified = await openpgp.verify({
message: openpgp.message.fromBinary(cont["doc"]),
signature: await openpgp.signature.readArmored(cont["sig"]),
publicKeys: (await openpgp.key.readArmored(pubkey)).keys
});
const {valid} = verified.signatures[0];
mess = " !";
if (valid) mess = " .";
} catch(e) {mess = " .";}
document.querySelector("output").innerHTML = mess;
}
That, in fact, is all. Now, in accordance with clause 5.23 of GOST 7.0.97–2016 , you can place this beautiful picture on the document (in the place where the handwritten signature should be):
