Re: Multiple signatures
On 3. 10. 2011 23:59, David Shaw wrote: On Oct 3, 2011, at 1:49 PM, pet jemen wrote: Hi, I want to sign binary data in OpenPGP Message Format. I want sign it by two or more keys. According to http://tools.ietf.org/html/rfc4880#section-5.4 it seems it is possible. (A one-octet number holding a flag showing whether the signature is nested. A zero value indicates that the next packet is another One-Pass Signature packet that describes another signature to be applied to the same message data.) I'd like to use gpg from command-line to sign an input file by two keys. I tried to sign it by: gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u test1 (test1)te...@test1.org -o %1.signed --sign %1 gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u test2 (test2)te...@test2.org -o %1.signed2 --sign %1.signed But the second signature signed the first one also with the first signature. I need to sign it in way were I can verify signature of signed data by both keys (the last octet of One-Pass Signature Packets (Tag 4) packet should be equal to zero). Just repeat -u as many times as you need: gpg -u the-first-key -u the-second-key -u the-third-key -u etc --sign thefile David Thank you for your advice. It is exactly what I was looking for. I've few more questions. Reason why I want sign files this way is to maintain compatibility and add additional signature for verifying. I'd like to sign file in batch mode this way. gpg2.exe --batch --quiet --yes --force-v3-sigs -z 0 --s2k-digest-algo SHA-1 --passphrase-file %passFile1% -u t0001 t0...@t0001.com --s2k-digest-algo SHA512 --passphrase-file %passFile2% -u t0002 t0...@t0002.com -o %1.signed --sign %1 It sees that pgp doesn't take password from files if I sign by multiple keys. If I sign files just by one key it works. Is there a way how to sign file with multiple signatures by two commands and to get the same OpenPgp binary format? Other problem I've noticed when I signed file in non-batch mode is that I’ve specified to use SHA512 for second signature. Problem is that the 3rd octed of One-Pass Signature Packetbodyin signed file is 0x08 which is sha256 according http://tools.ietf.org/html/rfc4880#section-9.4 Any ideas why there isn't 0x0a? Any help is welcome. Pavol Misik ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures
On Tue, 11 Oct 2011 13:55, pje...@gmail.com said: Other problem I've noticed when I signed file in non-batch mode is that I’ve specified to use SHA512 for second signature. You didn't. What you did is to specify an S2K hash algorithm which is used to turn passphrases into keys. Further it is not possible to change the algorithms for each key. You may be better off not to tinker around with algorithm options if you don't have a close understanding of how they work. GnuPG has sensible defaults and a preference system to select algorithms. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures
On Oct 3, 2011, at 1:49 PM, pet jemen wrote: Hi, I want to sign binary data in OpenPGP Message Format. I want sign it by two or more keys. According to http://tools.ietf.org/html/rfc4880#section-5.4 it seems it is possible. (A one-octet number holding a flag showing whether the signature is nested. A zero value indicates that the next packet is another One-Pass Signature packet that describes another signature to be applied to the same message data.) I'd like to use gpg from command-line to sign an input file by two keys. I tried to sign it by: gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u test1 (test1) te...@test1.org -o %1.signed --sign %1 gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u test2 (test2) te...@test2.org -o %1.signed2 --sign %1.signed But the second signature signed the first one also with the first signature. I need to sign it in way were I can verify signature of signed data by both keys (the last octet of One-Pass Signature Packets (Tag 4) packet should be equal to zero). Just repeat -u as many times as you need: gpg -u the-first-key -u the-second-key -u the-third-key -u etc --sign thefile David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures
On 10/03/2011 14:39, Aaron Toponce wrote: On Mon, Oct 03, 2011 at 07:49:21PM +0200, pet jemen wrote: I want to sign binary data in OpenPGP Message Format. I want sign it by two or more keys. According to http://tools.ietf.org/html/rfc4880#section-5.4 it seems it is possible. (A one-octet number holding a flag showing whether the signature is nested. A zero value indicates that the next packet is another One-Pass Signature packet that describes another signature to be applied to the same message data.) I'd like to use gpg from command-line to sign an input file by two keys. I tried to sign it by: gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u test1 (test1) te...@test1.org -o %1.signed --sign %1 gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u test2 (test2) te...@test2.org -o %1.signed2 --sign %1.signed But the second signature signed the first one also with the first signature. I need to sign it in way were I can verify signature of signed data by both keys (the last octet of One-Pass Signature Packets (Tag 4) packet should be equal to zero). You should use detached signatures: $ gpg -b -u $KEYID1 file.txt sig1.gpg $ gpg -b -u $KEYID2 file.txt sig2.gpg At this point, just concatenate the two detached sigs: $ cat sig1.gpg sig2.gpg signatures.gpg Wouldn't it be easier to just use :) Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures
Ok, Thanks David, But what if the file is signed by people working on different computers? So they will had their signature on the current separate file (correesponding to the people who already signed a specific file). Koushkov 2010/6/18 David Shaw ds...@jabberwocky.com On Jun 17, 2010, at 11:33 PM, Boris wrote: Hi, I would like to know if there is a way to add multiple signatures for a file (in a separate file) and check who signed with just one command (so not by signing a signed file...). Sure. gpg -u signer_1 -u signer_2 -u signer_3 --detach-sign file-to-sign You'll end up with a file-to-sign.sig that contains all three signatures. When you verify file-to-sign.sig, all three signatures will be checked. Alternately, you can do the same multiple signer trick with regular --sign if you want the data and signatures to be put together into a single file. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures
Thank you very much David It is exactly what I wanted 2010/6/18 David Shaw ds...@jabberwocky.com On Jun 17, 2010, at 11:33 PM, Boris wrote: Hi, I would like to know if there is a way to add multiple signatures for a file (in a separate file) and check who signed with just one command (so not by signing a signed file...). Sure. gpg -u signer_1 -u signer_2 -u signer_3 --detach-sign file-to-sign You'll end up with a file-to-sign.sig that contains all three signatures. When you verify file-to-sign.sig, all three signatures will be checked. Alternately, you can do the same multiple signer trick with regular --sign if you want the data and signatures to be put together into a single file. On Jun 18, 2010, at 9:14 AM, Boris wrote: Ok, Thanks David, But what if the file is signed by people working on different computers? So they will had their signature on the current separate file (correesponding to the people who already signed a specific file). If you want a bunch of people all signing the same file, have each signer do this: gpg -u signer-X -o signer-X-signature --detach-sign file-to-sign Then have them all send you their file-to-sign.sig files. You create a file containing all of them: cat signer-1-signature signer-2-signature signer-3-signature file-to-sign.sig Then anyone can verify file-to-sign.sig against the original file-to-sign and see all the signatures verified. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures
On 6/18/10 3:39 PM, ved...@nym.hush.com wrote: gpg --armor -u signer -u signer2 -u signer3 --clearsign filename no. 6.5.8 and 6.5.8 ckt will crash only when trying to verify multiple signatures of the same text when *clearsigned*. Perhaps I'm in error here, but -- isn't a clearsign the command I specified? smime.p7s Description: S/MIME Cryptographic Signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures
On 6/17/10 11:33 PM, Boris wrote: Hi, I would like to know if there is a way to add multiple signatures for a file (in a separate file) and check who signed with just one command (so not by signing a signed file...). gpg --armor -u signer -u signer2 -u signer3 --clearsign filename Warning: these signatures will break old versions of PGP. 6.5.8 and the 6.5.8CKT builds will crash when trying to verify them. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures
On Jun 17, 2010, at 11:33 PM, Boris wrote: Hi, I would like to know if there is a way to add multiple signatures for a file (in a separate file) and check who signed with just one command (so not by signing a signed file...). Sure. gpg -u signer_1 -u signer_2 -u signer_3 --detach-sign file-to-sign You'll end up with a file-to-sign.sig that contains all three signatures. When you verify file-to-sign.sig, all three signatures will be checked. Alternately, you can do the same multiple signer trick with regular --sign if you want the data and signatures to be put together into a single file. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures
On Jun 17, 2010, at 11:33 PM, Boris wrote: Hi, I would like to know if there is a way to add multiple signatures for a file (in a separate file) and check who signed with just one command (so not by signing a signed file...). Sure. gpg -u signer_1 -u signer_2 -u signer_3 --detach-sign file-to-sign You'll end up with a file-to-sign.sig that contains all three signatures. When you verify file-to-sign.sig, all three signatures will be checked. Alternately, you can do the same multiple signer trick with regular --sign if you want the data and signatures to be put together into a single file. On Jun 18, 2010, at 9:14 AM, Boris wrote: Ok, Thanks David, But what if the file is signed by people working on different computers? So they will had their signature on the current separate file (correesponding to the people who already signed a specific file). If you want a bunch of people all signing the same file, have each signer do this: gpg -u signer-X -o signer-X-signature --detach-sign file-to-sign Then have them all send you their file-to-sign.sig files. You create a file containing all of them: cat signer-1-signature signer-2-signature signer-3-signature file-to-sign.sig Then anyone can verify file-to-sign.sig against the original file-to-sign and see all the signatures verified. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures
Robert J. Hansen rjh at sixdemonbag.org wrote on Fri Jun 18 14:13:56 CEST 2010 : I would like to know if there is a way to add multiple signatures for a file (in a separate file) and check who signed with just one command (so not by signing a signed file...). gpg --armor -u signer -u signer2 -u signer3 --clearsign filename Warning: these signatures will break old versions of PGP. 6.5.8 and the 6.5.8CKT builds will crash when trying to verify them. no. 6.5.8 and 6.5.8 ckt will crash only when trying to verify multiple signatures of the same text when *clearsigned*. Verifying 'Multiple simultaneous signatures' done in armored signed format, or in signed and encrypted format, or as detached signatures, will not cause any problem for 6.5.8, 6.5.8 ckt, or 6.5.8 commandline. vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures on a single file
Alphax wrote: -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Berend Tober wrote: Is it possible to have multiple persons sign a single file? If so, how is this done? The particular scenario is currently this: Employees submit expense reports for business travel using a spread sheet. Current practise is the the employee fills out spread sheet via computer (or optionally prints blank spread sheet template and writes by hand with a pen), physically signs using pen and ink, physically delivers signed hardcopy to supervisor for supervisor pen-and-ink signature prior to payment processing. Desired practise is to eliminate both producing hard copy and pen-and-ink signatures, and then re-work the process using gpg electronic signatures. Thus, employee would enter data into expense report spread sheet, save, gpg sign, mail to supervisor, supervisor would (presumably) open and review spread sheet, close without changing, gpg sign, and then return to employee or forward to accounting dept. Sounds straightforward, but I didn't spot in the various manuals/guides/how-to's for gnupg how a second individual could add their signature after me. Use detached signatures? Generate a key to sign the document with, and have that key signed by the supervisor? What I don't like about doing that explicitly is that every additional signature, at least in the default operational mode, appends an additional .sig file extension. Further more, the signatures are wrapped withing one another, so that to verification would require serial verification of each preceding outer layer signature. What I've been refining during the last couple days uses a command line script to append additional detached signatures into a single signature file. This approach models more directly the co-signature concept of legacy contracts, i.e., think of buying a house -- you and you spouse are co-signators rather than having one sign the contract and the other sign the others signature. What you suggested models the concept of a notary public witnessing a signature, but that we already have by signing public keys in the trust model. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures on a single file
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Berend Tober wrote: Is it possible to have multiple persons sign a single file? If so, how is this done? The particular scenario is currently this: Employees submit expense reports for business travel using a spread sheet. Current practise is the the employee fills out spread sheet via computer (or optionally prints blank spread sheet template and writes by hand with a pen), physically signs using pen and ink, physically delivers signed hardcopy to supervisor for supervisor pen-and-ink signature prior to payment processing. Desired practise is to eliminate both producing hard copy and pen-and-ink signatures, and then re-work the process using gpg electronic signatures. Thus, employee would enter data into expense report spread sheet, save, gpg sign, mail to supervisor, supervisor would (presumably) open and review spread sheet, close without changing, gpg sign, and then return to employee or forward to accounting dept. Sounds straightforward, but I didn't spot in the various manuals/guides/how-to's for gnupg how a second individual could add their signature after me. Use detached signatures? Generate a key to sign the document with, and have that key signed by the supervisor? Just my 2c... - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDGRke/RxM5Ph0xhMRA53ZAJ4jpjIAJ8nqCr/xgVBRbO1IUfK3PQCeMYTy I6huYlEG2z2zt1cc1pPqTNE= =6zNZ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users