Storing custom signed data in the key

Wiktor Kwapisiewicz wiktor at metacode.biz
Sat Aug 17 22:19:43 CEST 2019


Hi Tomasz,

> what would be the most "canonical" way to store arbitrary, signed data
> along the gpg key? And then: what is the programmatic way of extracting
> said data?
> (...)
> sig!3    N   KEYID 2019-08-17  User Example <user at example.com>
>     Signature notation: pub at signify=SIGNIFYKEY
> 
> 
> Does it make sense? Is it a good idea? What would be a better way?

Yep, that definitely makes sense and notations are a good way to store 
additional data. The only problem here is how to get the notation values 
programmatically in a way that you know the self-signature is valid.

Sadly "gpg --list-options show-notations --with-colons --list-keys $KEY" 
does not print the notation output.

I did use OpenPGP.js to verify signature and extract notations for a 
small project of mine (https://metacode.biz/openpgp/proofs example here: 
https://metacode.biz/@wiktor ) but I understand you want to keep the 
dependencies to the minimum.

Maybe you could use GpgME, the docs look promising:

 > The signature notations on a key signature are only available if the 
key was retrieved via a listing operation with the 
GPGME_KEYLIST_MODE_SIG_NOTATIONS mode enabled, because it can be 
expensive to retrieve all signature notations.

Source: 
https://www.gnupg.org/(es)/documentation/manuals/gpgme/Key-objects.html#Key-objects

One minor thing, you may want to adjust the notation name (key). RFC 
4880 advises e-mail-like key where the domain is a name you control. So 
for example "pub-signify at debian.org" if you control "debian.org". 
Additionally it would be nice to have the e-mail redirect to a human in 
case someone sends the message there.

Kind regards,
Wiktor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190817/adec7abb/attachment-0001.sig>


More information about the Gnupg-users mailing list