search menu icon-carat-right cmu-wordmark

2001 Tech Tip: Using PGP to Verify Digital Signatures

White Paper
This white paper discusses how to use Pretty Good Privacy (PGP) to verify digital signatures.

Software Engineering Institute


PGP stands for Pretty Good Privacy. It is a computer program that uses mathematical algorithms to encrypt files and protect them from unauthorized access. It is also used to digitally sign and verify documents. Versions of the PGP program are available for most popular computer operating systems—Microsoft Windows, MacOS, and UNIX, to name a few.

Because most of our constituents receive documents that are signed with the CERT/CC PGP key, we focus on the second use. In this paper, we provide some background information about PGP and explain how to check signatures for validity. A PGP signature appears as a block of seemingly random letters and numbers at the end of the text. A valid digital signature tells the reader of the document that it was written by the owner of the PGP key and the text hasn't been changed in any way since it was signed.

A publicized example, illustrating the need for verification of documents, arose at a university. A student forged an email message to a class in the name of the instructor, claiming that there had been a death in the instructor's family and the final exam was postponed. As a result, most of the class members did not show up for the final.