HunterBirnie

Speeding Things Up With Digital Signatures

Old Data-Bloke

June 2019


Waiting for signatures and scanning ‘wet-ink’ copies slows your processes — speed them up with electronic signatures.


How many times have you heard (or said):

‘Please sign your copy, scan it and send it back — then we'll sign it and return a copy to you.’

Sometimes a signature really is required and the above can be a reasonable compromise: but let's face it — it slows things right down and bloats the size of a document by requiring a ‘picture’ to be scanned and attached. What would be handy would be a simple method of indicating that you had signed the document without having to print, sign, scan, make a new PDF file… and so on. A ‘wet-ink’ signature slows your process and bloats your documents

A ‘wet-ink’ signature slows your process and bloats your documents

Digital signatures give you this — although they sound complicated they are very simple (at least for the user): not only that, they are free (at least GPG, the one I'll describe here, is).

The process is very simple: you choose the file you want to sign and perhaps unsurprisingly, either right-click on the file and select ‘sign’ or run a separate program to do so (it depends on your operating system). You are then prompted for a PIN or pass-phrase: just like using your debit card at a cash-point, this unlocks the signing ‘key’ and allows you to sign. Note that this is NOT the password for the document — it's just a protection for your private key (I'll come to keys later). This will create a separate signature file that, when supplied with the original document, can be used to show your signature is valid. For example, here's our SOP on SOPs and its signature file:

SOP file and its signature file.

And here's the validation dialogue displayed by my system when I right-click on the .SIG file and choose ‘Open with Verify Signature’ (again, your system will vary):

Good signature message.

This is all fine, but what if someone wants to forge my signature, or change the document. Let's try it — I copied another PDF file and gave it the same name. If I now try to verify the signature, I get:

Bad signature error message.

That's handy… and the same would apply if the .SIG file were changed or modified.

Something else to note is that the signature is separate from the document — it doesn't change the original in any way, it's not embedded in it, not does it touch it: the signature file stands alone.

So, back to our original requirement — you have to sign and so does the other party. You have a number of choices (assuming both of you use GPG):–

  • The other party signs the document file
  • The other party signs your signature file

Number 2 might sound strange, but the signature file is just another file as far as the system is concerned so it's perfectly possible to sign it too. You might do this where you have order of signing (e.g. Author, Reviewer, Authorisation) and it is important to maintain that.

I haven't covered how to set up GPG, signing e-mails nor covered encrypting documents (you get that too) — I'll do so in another article.