Signing a security.txt File with a GPG Key

Posted on by admin

Step 1
Choose the contact address. To whom do you want the notification to be sent? To your company or to your IT service provider? Make an estimate of who can or will handle the notifications.

Step 2
Use the tool on securitytxt.org and fill in at least the contact address and expiration date. Then, with one click, generate your own security.txt file.

Step 3
Encrypt and sign the file with a public key from the open-source program PGP. The command gpg –clearsign creates an encrypted text file with PGP software. Before executing this command, the keys must first be generated. Open a terminal in Linux and determine the keys with the following command:

gpg –full-generate-key

  1. Specify the type of encryption or press enter to apply the default encryption method (RSA and RSA).
  2. Specify the size of the key or press enter to apply the default value (3072 bits).
  3. Specify the validity period of the key, where the default value is that the key has no expiration period.
  4. Enter your name and then the email address.
  5. Confirm the specified settings by typing the capital letter Y.
  6. Enter a passphrase to protect the new key.

The result is displayed in the terminal. Save this key data in a secure location, including the passphrase.

 

The command gpg –clearsign is only applicable to text files. The option ‘–clearsign’ ensures that the document is provided with an ASCII-armored digital signature that does not affect the document itself. Using the command gpg –clearsign security.txt generates a “security.txt.asc” file that can be opened with any text editor.

The keys can be queried using the command gpg –list-keys.

Step 4

With the keys, the security.txt file can now be encrypted.
Use the security.txt file from step 2.
The command below encrypts the file and adds the sha512 hash to the text file.
You will then receive a notification to use a specific key with a name and comment (see step 1).

gpg –clear-sign security.txt

Step 5

change name of file from security.txt.asc back to security.txt

Verify if the file is properly encrypted:
gpg –verify security.txt

This gives the following output in the terminal:

gpg: Signature made 03/25/24 13:30:50 West-Europa (standaardtijd)
gpg: using RSA key 7C55AE5718A68146018DREDLK34LKSl
gpg: Good signature from “name <admin@name.com>” [ultimate]

 

Step 6

Create a directory on your web server named “.well-known”. This directory is therefore one level below the main directory where your website is available (see example above). Place the security.txt file secured with the key in this directory.