Embedded signatures
Anthony E. Greene
agreene@pobox.com
Fri Sep 7 15:26:02 2001
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 7 Sep 2001, Guy Van Sanden wrote:
>Is it possible to sign files embedded?
>
>e.g. sign a pdf document (signature in the pdf file), and distribute it
>to people with and without pgp, so that they both can read it.
>
>If the document ever popped up somewhere, it would have to be
>verifyable...
That's what clearsigning is for.
If you want to sign file that's not plain text and leave the file
unchanged, then you will need to use a detached sig. But you cannot embed
the detached sig into the file, because that changes the file and
invalidates the sig.
My recommendation is that the signer make a detached sig and archive it
along with the document. A copy of the sig would be posted on a web server
that's accessible to anyone who might need to verify the document and the
sig's URL would be included in the document.
Here's an example:
http://www.pobox.com/~agreene/example.pdf
Tony
- --
Anthony E. Greene <agreene@pobox.com> <http://www.pobox.com/~agreene/>
PGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D
Chat: AOL/Yahoo: TonyG05
Linux. The choice of a GNU Generation. <http://www.linux.org/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Anthony E. Greene <agreene@pobox.com> 0x6C94329D
iD8DBQE7mMphpCpg3WyUI50RAp3oAKDJ3D4UuuqwB1lD5DU/Wj4qZBD7vwCg9l4M
ZKS0wbFv79GTe6jMfX/abUE=
=FBOs
-----END PGP SIGNATURE-----