Digital Signatures ??

[sysreset]

What exactly happens to a file when a digital signature is executed? I am interested in how this is authenticated for both text and image files.

[mgb_phys]

The file is unchanged, a number is calculated from the contents of the file and your secret key. If the number produces a valid result when calculated with your public key then the signatuere is proved and the file was unaltered.

http://en.wikipedia.org/wiki/Digital_signature
The actual algorithm depends on which particular crypto system you are using. The important part is that the other person doesnt need anything secret form you to prove the signture

[sysreset]

Thanks mgb. I read the wiki article. I am writing C code for an application that will need to execute a digital signature on image files. Are there standard libraries or plug-ins for this sort of thing?

[mgb_phys]

What exactly do you need to do with the image?
If you just need to prove it wasn't altered then MD5 is the easiest, there are lots of free libs. If you need other people to be able to verify it then Windows includes the CryptoAPI (linux has a simialir set of functions).
It's not exactly plug and play you do need to understand a little about the topic.

A good alternative is just to sign the file with PGP (or better gnupg).
Either way you will also have to generate a key pair and publish the public one - pgp/gnupg has good docs on how to do this.

[sysreset]

The image files are gif's. We need to be able to tell (1) that the gif was signed and (2) who signed it. I am not sure if it is preferable to alter the image in this process or just create some kind of log or companion file using the keys. If there are standards for this function out there I would like to adopt those standards.

Since you said the image is not altered in this process, I am wondering about the log or companion files that record the signature. It seems a little messy to create a separate log file for each signed image. Is it common to create a dated log file for multiple signed images? Or a database, since there are muliple signers?

[mgb_phys]

Signing the file simply generates a long number, which is normally written in hex like
"d3c71afb8b88b1050067633cd8bcc4ca0bae696d", you then have to publish your public key.
The receiver needs to check it with, this number, the unchanged file and the public key.
GnuPG contains(GPL licenced) routines to do this.
There are lots of other sets of ode out there, google have jut launchedone called Keyczar, although it doesnt support C++ yet.

[sysreset]

Thanks again mgb... I think I have plenty of sources to work with now.

[las3rjock]

Is the goal to sign or to watermark the images? These are similar but not identical processes...

[sysreset]

To sign. However, the images are not being sent to a recipient, they are just being archived. The purpose is just to document that the image has been viewed, the time and date, and by whom.

[las3rjock]

Are you planning to store the signatures as metadata in the image file, or in a separate database?

[sysreset]

I am leaning towards the separate database, but would listen to opinions on the pros and cons of both approaches.