multiple signers
Timo Schulz
twoaday at freakmail.de
Sun Dec 8 14:41:02 CET 2002
On Sun Dec 08 2002; 01:02, David Shaw wrote:
> > Does anyone ever sign (or want to sign) with multiple keys at the same
> > time? I'm just wondering how practical/useful this feature would be.
>
> You can. gpg -u key1 -u key2 -u key3 --sign ....
Actually I did some tests with it and the result suprised me:
$ gpg -u opencdk -u john -sba foo.bar
Where the keys look like this:
pub 1536R/333CA589 2001-10-19 John Q. Smith <john at smith.org>
pub 1024D/CCC07C35 2002-01-20 OpenCDK test key
One is v4 and one v3 and I use a detached sig instead of a one-pass
signature. Which means MD5 and SHA1.
$ gpg --verify foo.bar.asc
gpg: Signature made Son 08 Dez 2002 14:38:42 MEZ using RSA key ID E4CA8F45
gpg: Good signature from "OpenCDK test key"
gpg: Signature made Son 08 Dez 2002 14:38:42 MEZ using RSA key ID 333CA589
gpg: WARNING: signature digest conflict in message
gpg: BAD signature from "John Q. Smith <john at smith.org>"
The warning tells me about the MD5/SHA1 conflict and the result is a bad
signature. I'm not sure if the signature is really bad, because the digest
was only computed with SHA1, or if only the wrong digest was set (SHA1
instead of MD5) during the verify hash operation.
I guess we should make it impossible to use multiple signers when it
can't be used the same digest algo. Or we could compute the digest algo
for each hash algo which is neeed by the signers.
Timo
More information about the Gnupg-devel
mailing list