checking multiple signatures of different types (or different digests)

David Shaw dshaw at
Mon Jan 14 02:37:08 CET 2013

On Jan 13, 2013, at 2:16 AM, John Clizbe <JPClizbe at> wrote:

> Hash: SHA1,SHA256
> Daniel Kahn Gillmor wrote:
> Funny... as in odd. I do that very thing ALL the time. And it verifies just
> fine. See
> for an example.

This is why it works for you.  You have a clearsigned message with multiple hashes and multiple signatures, which is a defined part of the spec.  I'm not completely sure what Russ Allbery's code is doing, but I suspect it's multiple detached sigs in a single file.


  cat thefile | gpg -u key1 --armor --detach-sign > my-sigs.asc
  cat thefile | gpg -u key2 --armor --detach-sign >> my-sigs.asc

(Where key1 and key2 use different hashes)

There is history to this, but the brief version is that this was never supported, and in fact GPG tells you it isn't supported ("gpg: WARNING: multiple signatures detected.  Only the first will be checked.").  I added the warning message way back in 2002/2003.  It only allows this if both sigs are of the same class (i.e. both binary or both textmode) and the same hash.

Now, none of this means it couldn't be added.  We'd need to run multiple hash contexts, with one for each signature, and given how the file-of-sigs is currently processed that's not exactly trivial.  Given that until now, nobody noticed the lack since 2003, I'm not sure that it's a common problem.


More information about the Gnupg-devel mailing list