Re: Is signing a file with multiple keys possible
On Sat, 24 Mar 2018 00:31, gnupg-users@gnupg.org said: > For Example: John, Harry and Sally wrote a file, lets assume it is a > text file. Now all of them want to sign this file, so that when > verifying it, all three signatures are visible. If you use binary detached signatures (-sb) this is pretty easy. You can simply concatenate the signature files. We do this for gnupg releases. gnupg/build-auc/append-signature.sh is a script which helps with this workflow. If the messages are armored you need to de-armor (gpg --dearmor) them first, concatenate and en-armor them. Finnally fix up the armor lines. Shalom-Salam, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpkmMztVjDpt.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is signing a file with multiple keys possible
Hi Dirk, On 03/24/2018 02:04 AM, Dirk Gottschalk via Gnupg-users wrote: >>> Is it possible to sign a file with multiple keys? >> >> Yes. Slightly lower-level operations than normal signing, but not by >> much, you just need to know about enarmor/dearmor and how signatures >> are >> put together. >> ... > > Thank you very much. It's like chaining up PEM Certs in OpenSSL. Why > didn't I even think about this? The Format is so similar. it's even easier when two or more people sign at the same time, just supply "-u KEYID" multiple times. At $dayjob our software updates are signed with two smartcards (four eye principle). Here's the relevant part from the sign script: gpg_cmd = ['/usr/bin/gpg2', '--personal-digest-preferences', 'sha256'] for gpg_id in gpg_sign_ids: gpg_cmd.extend(['-u', gpg_id]) gpg_cmd.extend(['--sign', shlex.quote(target_file)]) Cheers, Thomas signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is signing a file with multiple keys possible
On 2018-03-24 at 00:31 +0100, Dirk Gottschalk via Gnupg-users wrote: > Is it possible to sign a file with multiple keys? Yes. Slightly lower-level operations than normal signing, but not by much, you just need to know about enarmor/dearmor and how signatures are put together. > For Example: John, Harry and Sally wrote a file, lets assume it is a > text file. Now all of them want to sign this file, so that when > verifying it, all three signatures are visible. 8< multi-sign recipe >8- curl -LO https://pt-dummy-app.herokuapp.com/poetry/if.txt laptop$ gpg --detach --sign if.txt laptop$ mv if.txt.sig if.txt.sig-laptop securebox$ gpg --detach --sign if.txt securebox$ mv if.txt.sig if.txt.sig-securebox cat if.txt.sig-laptop if.txt.sig-securebox | gpg --enarmor > if.txt.asc gpg --verify if.txt.asc 8< multi-sign recipe >8- If the individual signatures are ASCII-armored, then use `gpg --dearmor` to turn them into binary format. Multiple signatures are just one after another: there's no container _around_ them, no special merging tools needed. In the above example, the securebox is using: local-user 0xlong_subkey_1! local-user 0xlong_subkey_2! in ~/.gnupg/gpg.conf to generate two signatures, so that I sign with both EDDSA and RSA. Thus the resulting `if.txt.asc' has _three_ signatures. I've attached the combined signature. You should be able to grab the famous poem from the URL above and verify my signatures upon the text. -Phil -BEGIN PGP ARMORED FILE- Comment: Use "gpg --dearmor" for unpacking iQEzBAABCAAdFiEEq4gt1kA1okdY9paI0jG9pqefzuAFAlq1nX4ACgkQ0jG9pqef zuAKlgf+P+trdLPknA/sNyNwAIbJoUzpqLxGxxaLT/0ZDrdOlgLsAXqTvYmMljEu SBQiRLvfv+lGhKKnvZVWolpb4EsNZFFoqdsV65NnhVrFTw6wBQrrWgcHzP1WjGd9 Bw7AWLQzwmJUj3eULGJMce5k8W/aOzvbcJR7d7Kh66Sk+uuKsHznBHu0/3kr5XJ4 4tvyC4DfHyJ5xA2l+EV7mWDpPX7vaAnjs9fwKmXM9DXHP2aAeTW5w/ie3Sa1JW7D P+hH1eTH2esJWxq9gvhFk8ubdlVjKcdJOpcbvSBvqb4EIx2J4G574/CWTPdDJtl+ dPguQ9NdhuDl3qVyIhwsip3bNKulhoh1BAAWCAAdFiEETlwXnn/8Tb+ObBMvURBO Zo3QRIEFAlq1nb8ACgkQURBOZo3QRIEKuQEAkQmM+EVWoXYf0t9OyJZuW8A3OfBT e4709WsddU83xAEA/RnAi9QAB/C5XyURCbcMsjshzHnj1oUjc0eChywebf8PiQIz BAABCAAdFiEExpOgNOHtbulUyuLaE9rZnH5BUZwFAlq1ndcACgkQE9rZnH5BUZxX 4Q/9GY9PNo8c4E/C6no0LG2KUoYI1edDP2OjMJCj5r09URxR670a3lSjeztauewt fIwX955lNuqsQUnz0asGh4PugNTN1NLCy99hDKYoY7Aczc3c5XhvJTrwJZiFXQh0 t1e16Qlmvu5FQmHygFCVrtRwZB3ZhEiKVwmzSN0MJkRQNDL0Hz3iPkp4LZF3zDwW op7jwVJFN85qoavcxh/pYrBsOd7UNIvxePhw0joxne4gA1u0G54YKlIopWUc7ECB ExYt0LciIfpolKQ1pBWDCchG/SrviLlPOVyTM/803IP8lnUD56QEPKck9QlwHzIP ooVuPUWKM7vqGFYXO6ttFfurf2eVa/3qmTK5DWmmnDS9bxWjLxsebEBiTqmTqyHM zVj1kXgPUjP5zgqpwkx4SNZCmvCC74x42VFOQ1c72kLf8i5K+q2shVjTQRkNhG5D HA2KW0bvK6OE5BD3jbgx/USrb18N7MeVVNSZQ8eLbJ5vp9ee9ERnv7gM3UK+7++H rAA9zTEyTtMeOdGnAv/cBpbOcpQK0LSh63BWZvTQF9N3bRbQ2qMQnYFMESOGvS5p 2mZPYYkWbjjoEmeqibbsr8TNl8gC0B9fFPuTEwonQsbRQPAYnuawgGesDUPtbOon hh/i4/Co1NW2kf7JcJ0HtneASL7E/DIvGObFxQyBNaFBm8A= =mISS -END PGP ARMORED FILE- signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is signing a file with multiple keys possible
Hello Phil. Am Freitag, den 23.03.2018, 20:44 -0400 schrieb Phil Pennock: > On 2018-03-24 at 00:31 +0100, Dirk Gottschalk via Gnupg-users wrote: > > Is it possible to sign a file with multiple keys? > > Yes. Slightly lower-level operations than normal signing, but not by > much, you just need to know about enarmor/dearmor and how signatures > are > put together. > ... Thank you very much. It's like cahining up PEM Certs in OpenSSL. Why didn'z I even think about this? The Format is so similar. Thanks, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen Tel.: +49 1573 1152350 signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Is signing a file with multiple keys possible
Hello. Is it possible to sign a file with multiple keys? For Example: John, Harry and Sally wrote a file, lets assume it is a text file. Now all of them want to sign this file, so that when verifying it, all three signatures are visible. Is this possible? I tried with --clearsign, but that doesn't work, because the former signatures are disabled by the latest signing process. Is there any way to add a signature instead of overriding the former Signature? Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen Tel.: +49 1573 1152350 signature.asc Description: This is a digitally signed message part smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users