The difference between a digital signature and a MAC is non-repudiation. A message with a digital signature proves that only the sender could have signed the message, whereas a message with a MAC proves that either the sender or the recipient could have signed the message.
Can an OpenPGP implementation, such as GPG, be used to sign a message without providing non-repudiation?
Please note that I am referring to non-repudiation in the cryptographic sense, not in the legal sense.
Yes, there's an indirect way to perform what's asked with PGP and variants.
Draw a an asymmetric public/private key (of a type that can sign), protected by a passphrase. Publish the passphrase-protected private key. Discard the public key (it's in the private key anyway). Use the passphrase as you would use a symmetric key: share it by trusted means between sender and receiver (perhaps together with the passphrase-protected private key). Generate, transmit and verify a detached signature (sig file) of a file to integrity-protect as you would do for a MAC of the file.
With asymmetric cryptography, the sender is not able to encrypt it such that the receiver could have encrypted it without disclosing a private secret without performing a symmetric key exchange. Once you exchange a symmetric key however, you could symmetrically encrypt the contents of the message and the MAC and then encrypt the shared key with the public key of the recipient. It is then impossible to prove that the message was signed by the sender since either party could have encrypted the message and MAC. I'm not sure if this can be done by the specific library implementation you mentioned though.
That said, I'm not sure why you changed from asking if PGP could do it to asking if asymmetric cryptography could. PGP makes use of both forms of cryptography.
There's no way in OpenPGP to MAC a message. You can sign it, but that's it.
We could have a lively debate about the legal ramifications of a digital signature, and I'll take the side that it means less than you've been told it has. Like everything, context matters. I could give you a use case where there'd be an approximately 100% likelyhood that a digital signature would be "legal" and another where there'd be about zero. In the latter case, it could in contrast be evidence that the keyholder was hacked.
However, there is a feature of OpenPGP that might give you something like what you want. That is the Modification Detection Code. MDCs are on by default for any encrypted message these days.
The MDC is a subtle thing. When we (the working group) did it, we wanted a way to know that a message was intact, but not have to sign it. That is, the message is repudiable, but reliable (to some extent).
The problem arises from the fact that CFB encryption can be tail-truncated with impunity. In other words, if you get an unsigned OpenPGP message, you can never know that something wasn't removed from the end. (CBC mode has a related feature that it can be head-truncated with impunity.)
The MDC code puts a hash of the message at the end and encrypts it as usual. There are a few things to note about this:
We did it before there was a lot of theory about where a MAC ought to be placed. Present accepted practice is that you MAC the ciphertext, not the plaintext.
There are known "attacks" against this. Most notably, you can create an "existential forgery" of a message. This is really important with something like IPsec or TLS, but for OpenPGP is mostly a yawn, as it's a higher level concept. Spam is an existential forgery, for example.
The lack of reliability is a feature, given what the working group wanted. Remember, if you want a message to be intact, you can sign it. Heck, you can create a one-time signing key and sign it with that, if you're worried about legal etc. ramifications. Keys are cheap. What we wanted was a repudiable message that the receiver had a good chance to know arrived intact. It meets this goal. It fails to meet things that weren't goals for the feature, and frankly, my opinion is that you should just sign the message. As I said before, create a new signing key if you don't want tracking.
I think this is very close to what you want. It's not a MAC, it's less strong than a MAC. But it provides a reasonable level of assurance that the obvious CFB flaw hasn't happened.
Jon
Authentication is the process of providing assurance that a data has not been tampered with, whereas non-repudiation demonstrates that the message is from a the holder of a particular private key. In general hash methods are used to provide authentication. Signing data with a private key provides non-repudiation whether you like it or not.
If you want to send a message in a way where it can be authenticated, but not linked back to yourself then hash the unencrypted message. If the recipient has pgp or something like it you can encrypt the message and its hash with the recipient's public key.
