Re: Multiple signatures

Tue, 11 Oct 2011 05:11:46 -0700 

On 3. 10. 2011 23:59, David Shaw wrote:

On Oct 3, 2011, at 1:49 PM, pet jemen wrote:


Hi,

I want to sign binary data in OpenPGP Message Format.
I want sign it by two or more keys.
According to http://tools.ietf.org/html/rfc4880#section-5.4 it seems it is 
possible.
  (A one-octet number holding a flag showing whether the signature is nested.  
A zero value indicates that the next packet is another One-Pass Signature 
packet that describes another signature to be applied to the same message data.)

I'd like to use gpg from command-line to sign an input file by two keys.
I tried to sign it by:
    gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u "test1 
(test1)<te...@test1.org>" -o %1.signed --sign %1
    gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u "test2 
(test2)<te...@test2.org>" -o %1.signed2 --sign %1.signed

But the second signature signed the first one also with the first signature.
I need to sign it in way were I can verify signature of signed data by both 
keys (the last octet of One-Pass Signature Packets (Tag 4) packet should be 
equal to zero).

Just repeat -u as many times as you need:

   gpg -u the-first-key -u the-second-key -u the-third-key -u etc --sign thefile

David


Thank you for your advice.

It is exactly what I was looking for.
I've few more questions.
Reason why I want sign files this way is to maintain compatibility and add additional signature for verifying. 
I'd like to sign file in batch mode this way.
gpg2.exe --batch --quiet --yes --force-v3-sigs -z 0 --s2k-digest-algo SHA-1 --passphrase-file %passFile1% -u "t0001 <t0...@t0001.com>" --s2k-digest-algo SHA512 --passphrase-file %passFile2% -u "t0002 <t0...@t0002.com>" -o %1.signed --sign %1
It sees that pgp doesn't take password from files if I sign by multiple keys. 
If I sign files just by one key it works.
Is there a way how to sign file with multiple signatures by two commands and to get the same OpenPgp binary format? 

Other problem I've noticed when I signed file in non-batch mode is that
I’ve specified to use SHA512 for second signature.
Problem is that the 3rd octed of One-Pass Signature Packetbodyin signed file is 0x08 which is sha256 according http://tools.ietf.org/html/rfc4880#section-9.4 

Any ideas why there isn't 0x0a?

Any help is welcome.

Pavol Misik

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to