multiple signers

Timo Schulz twoaday at
Sun Dec 8 14:41:02 CET 2002

On Sun Dec 08 2002; 01:02, David Shaw wrote:

> > Does anyone ever sign (or want to sign) with multiple keys at the same
> > time?  I'm just wondering how practical/useful this feature would be.
> You can.  gpg -u key1 -u key2 -u key3 --sign ....

Actually I did some tests with it and the result suprised me:

$ gpg -u opencdk -u john -sba

Where the keys look like this:
pub  1536R/333CA589 2001-10-19 John Q. Smith <john at>
pub  1024D/CCC07C35 2002-01-20 OpenCDK test key 

One is v4 and one v3 and I use a detached sig instead of a one-pass
signature. Which means MD5 and SHA1.

$ gpg --verify
gpg: Signature made Son 08 Dez 2002 14:38:42 MEZ using RSA key ID E4CA8F45
gpg: Good signature from "OpenCDK test key" 
gpg: Signature made Son 08 Dez 2002 14:38:42 MEZ using RSA key ID 333CA589
gpg: WARNING: signature digest conflict in message
gpg: BAD signature from "John Q. Smith <john at>"

The warning tells me about the MD5/SHA1 conflict and the result is a bad
signature. I'm not sure if the signature is really bad, because the digest
was only computed with SHA1, or if only the wrong digest was set (SHA1 
instead of MD5) during the verify hash operation.

I guess we should make it impossible to use multiple signers when it
can't be used the same digest algo. Or we could compute the digest algo
for each hash algo which is neeed by the signers.


More information about the Gnupg-devel mailing list