Verifying signcrypted data with detached signature/ Setting Hash for verify

Werner Koch wk at
Fri Feb 27 11:05:28 CET 2004

On Wed, 25 Feb 2004 10:31:08 -0800 (PST), Harakiri  said:

> when i try to verify signcrypted data which has a
> detached signature gpg always ask for a DATA file.

signed+encrypted data is different from detached signature.  gpg does
not interpret the data inside a OpenPGP message.  Thus if you want to
have detached signature and a data file inside an OpenPGP message, you
must first pack those 2 files into some kind of archive and the apply
the other signature and encryption. 

> Now i dont have this file yet (obviously) since the
> decrypt process is not finished yet.

Hmm, I don't undertsand what you are going to achieve.

> Why is gpg unable to handle detached signatures
> without the --output param. Also, can i save the *.sig

gpg --verify foo.sig foo

works fine for everyone, why do you want to output something for a
detached signature?

> Finally, is it possibily to specify a HASH ALG (i.e.
> SHA1) while verifying - for example if the header of a

According to OpenPGP, a missing Hash header means MD5.  In theory we
could setup hash context for all avaibale algorithms but this is slow
and it is far easier to a add a "Hash: SHA1" line to the message if
you somehow got a crippled message.


More information about the Gnupg-devel mailing list