Beginner, help me sign messages as an "it is me" password

Ok, I’m a real beginner with GPG, long term Linux user and comfortable enough entering terminal every so often but sticking to the GUI for most tasks.

I know gpg is command line and am not afraid of that, I’ve been using two simple GPG commands:
gpg --no-symkey-cache --output file.extension --decrypt file.extension.gpg

gpg -c file.extension

to do symmetric crypto, for quite a few years, like for emailing an attached file to yourself, or emailing a file to someone else with whom you’ve previously shared an agreed symmetric crypto key in a face to face meeting.

But I’m now looking to use the asymmetric features of GPG’s more advanced crypto methods in a more sophisticated way.

Ths isn’t about encryption, the exact scenario here doesn’t involve that, this is about authentication. I want to be able to generate very specific messages, on rare occasions that can prove “i” and “me”.

Which is to say I want to do the equivalent of presharing a “password” with someone, and they would then know that any communication they were to later receive which had this “password” was indeed me, whatever new or anonymised channel it came from. Like if I lost my email address and had to set up a new one, within the first email from the new one I could establish that, as far as the recipient is concerned, the email really is from me and not from an imposter. Or like being able to make forum posts from anonymised accounts, but having the “special password” included in them all in such a way that one day I could come along and say, those posts, anonymous at the time of posting, were all mine, because see here I’m the only one able to “sign” things with the same “password”.

Now in the first circumstances a simple quoted password might in theory work, but only once, or maybe not even that long if the first email from a new address got intercepted, blocked and an imposter sent one of his own from another address now that he knew the password. In the second scenario, the moment you quote the password in the first of a series of posts, all from different accounts on different forums maybe, then everyone can learn it and anyone could impersonate you.

So I want to use asymmetric crypto, particularly the gpg tool as it is already preinstalled in most Linux distros so that anyone I talk with can easily have it at hand too, to “sign” myself wirh a “password”. I can pre-share information initially, but the main point is to be able to tell someone that, “if you receive a message which can $(pass certain gpg based test with the right result) you’ll know it came from me”. Its like having the opposite of normal asymmetric crypto, a publically shared key that anyone can use to “decrypt” the signature and a private key that only I can “encrypt” with.

I want this to be independent of actual encryption, I don’t want to HAVE to encrypt the messages I do this with, I want to be able to sent “authenticated” mesages so people can authenticate them properly, but if my recipient hasn’t the time right now to properly authenticate a mesage I’d like them to still be able to read the contents.

I couldn’t find a guide online when searching for this concept, but was probably using the wrong keywords. can anyone point me to an EASY tutorial (command line familiar but not a gpg expert and very sketchy on what various ggpg specific and crypto specific terms all mean in the formal sense) about how to use gpg in this application, for making a uniquely quotable “password” by which I can prove that an anonymised communication I send, to a recipient I already know, is indeed me.

Thank you

Why not simply use OpenPGP signatures?

In the beginning, each of the communication partners creates OpenPGP key pairs and in the first, secure, exchanges you verify the public key really belongs to the other individual (it appears you already have some way to do this).
Then you sign all your (e-mail) messages, files etc with your OpenPGP key.
This is a standard process and does not require any terminal usage at all.

You can also add other e-mail addresses to an existing keypair later. Or, if you prefer to create a new key pair for the new e-mail address, sign the new key with your old one. In both cases, the recipients can quickly check the authenticity.

Can you point me to some tutorials, also, the person I’m talking with knows less about GPG than I do, so things need to be really easy at his end too.

I don’t want to have to make him decrypt all the messages before he can read them, so I want something that operates as an asymmetric “it is me” password in the easiest possible way.

Thanks

Text and image tutorial preferred over video tutorial

It’s been a few days so, sorry to bump this thread but…
Can anyone advise me of a good tutorial on how to do this? I simply want an easy way to make “signatures” that only I (the person with the secret pasword in their head) could sign, without having to use all the other encryption infrastructure at the same time. Thank you

In my opinion the easiest way would be to install Kleopatra if your correspondent is not used to the command line.

Start Kleopatra, create an OpenPGP key there and set a check mark at “Protect the generated key with a passphrase.” in the process.
With that key you can now create signatures and as you chose a password for it, you have to enter it for each signature.

Then you can sign files via “Sign/Encrypt” in Kleopatra, as you do not want to encrypt, remember to remove all check marks in the “Encrypt to” section.

For short messages you want to share e.g. by mail, you can also use Kleopatra’s notepad. Remember to remove the check marks in the Encrypt-section here, too, if you only want to sign. The whole message with the BEGIN and END lines
then would have to be copied from / to the notepad to check the signature.
Depending on the way you exchange messages / your email program there might be an easier workflow, but that would require some more setup and we would need more info.

Don’t forget to do the following once, before starting your correspondence:
Give the public key to the person you want to communicate with, otherwise they won’t be able to check the signature.
Then you have to compare the fingerprint on a different channel than you sent the pubkey by and the other person has to certify your pubkey with their own private key. The action for that can be found in the context menu of that pubkey/certificate.