Embedded signatures

Anthony E. Greene agreene@pobox.com
Fri Sep 7 15:26:02 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 7 Sep 2001, Guy Van Sanden wrote:

>Is it possible to sign files embedded?
>
>e.g. sign a pdf document (signature in the pdf file), and distribute it
>to people with and without pgp, so that they both can read it.
>
>If the document ever popped up somewhere, it would have to be
>verifyable...
That's what clearsigning is for. If you want to sign file that's not plain text and leave the file unchanged, then you will need to use a detached sig. But you cannot embed the detached sig into the file, because that changes the file and invalidates the sig. My recommendation is that the signer make a detached sig and archive it along with the document. A copy of the sig would be posted on a web server that's accessible to anyone who might need to verify the document and the sig's URL would be included in the document. Here's an example: http://www.pobox.com/~agreene/example.pdf Tony - -- Anthony E. Greene <agreene@pobox.com> <http://www.pobox.com/~agreene/> PGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D Chat: AOL/Yahoo: TonyG05 Linux. The choice of a GNU Generation. <http://www.linux.org/> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Anthony E. Greene <agreene@pobox.com> 0x6C94329D iD8DBQE7mMphpCpg3WyUI50RAp3oAKDJ3D4UuuqwB1lD5DU/Wj4qZBD7vwCg9l4M ZKS0wbFv79GTe6jMfX/abUE= =FBOs -----END PGP SIGNATURE-----