Multiple signatures

pjemen pjemen at gmail.com
Tue Oct 11 13:55:45 CEST 2011 

On 3. 10. 2011 23:59, David Shaw wrote:
> On Oct 3, 2011, at 1:49 PM, pet jemen wrote:
>
>> Hi,
>>
>> I want to sign binary data in OpenPGP Message Format.
>> I want sign it by two or more keys.
>> According to http://tools.ietf.org/html/rfc4880#section-5.4 it seems it is possible.
>>   (A one-octet number holding a flag showing whether the signature is nested.  A zero value indicates that the next packet is another One-Pass Signature packet that describes another signature to be applied to the same message data.)
>>
>> I'd like to use gpg from command-line to sign an input file by two keys.
>> I tried to sign it by:
>>     gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u "test1 (test1)<test1 at test1.org>" -o %1.signed --sign %1
>>     gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u "test2 (test2)<test2 at test2.org>" -o %1.signed2 --sign %1.signed
>>
>> But the second signature signed the first one also with the first signature.
>> I need to sign it in way were I can verify signature of signed data by both keys (the last octet of One-Pass Signature Packets (Tag 4) packet should be equal to zero).
> Just repeat -u as many times as you need:
>
>    gpg -u the-first-key -u the-second-key -u the-third-key -u etc --sign thefile
>
> David
>
Thank you for your advice.

It is exactly what I was looking for.
I've few more questions.

Reason why I want sign files this way is to maintain compatibility and 
add additional signature for verifying.
I'd like to sign file in batch mode this way.

gpg2.exe --batch --quiet --yes --force-v3-sigs -z 0 --s2k-digest-algo 
SHA-1 --passphrase-file %passFile1% -u "t0001 <t0001 at t0001.com>" 
--s2k-digest-algo SHA512 --passphrase-file %passFile2% -u "t0002 
<t0002 at t0002.com>" -o %1.signed --sign %1

It sees that pgp doesn't take password from files if I sign by multiple 
keys.
If I sign files just by one key it works.
Is there a way how to sign file with multiple signatures by two commands 
and to get the same OpenPgp binary format?

Other problem I've noticed when I signed file in non-batch mode is that
I’ve specified to use SHA512 for second signature.
Problem is that the 3rd octed of One-Pass Signature Packetbodyin signed 
file is 0x08 which is sha256 according 
http://tools.ietf.org/html/rfc4880#section-9.4

Any ideas why there isn't 0x0a?

Any help is welcome.

Pavol Misik

More information about the Gnupg-users mailing list