Multiple signatures on a single file

Berend Tober btober at
Mon Sep 5 13:41:19 CEST 2005

Alphax wrote:

>Hash: RIPEMD160
>Berend Tober wrote:
>>Is it possible to have multiple persons sign a single file? If so, how
>>is this done?
>>The particular scenario is currently this: Employees submit expense
>>reports for business travel using a spread sheet. Current practise is
>>the the employee fills out spread sheet via computer (or optionally
>>prints blank spread sheet template and writes by hand with a pen),
>>physically signs using pen and ink, physically delivers signed hardcopy
>>to supervisor for supervisor pen-and-ink signature prior to payment
>>Desired practise is to eliminate both producing hard copy and
>>pen-and-ink signatures, and then re-work the process using gpg
>>electronic signatures. Thus, employee would enter data into expense
>>report spread sheet, save, gpg sign, mail to supervisor, supervisor
>>would (presumably) open and review spread sheet, close without changing,
>>gpg sign, and then return to employee or forward to accounting dept.
>>Sounds straightforward, but I didn't spot in the various
>>manuals/guides/how-to's for gnupg how a second individual could add
>>their signature after me.
>Use detached signatures? Generate a key to sign the document with, and
>have that key signed by the supervisor?
What I don't like about doing that explicitly is that every additional 
signature, at least in the default operational mode, appends an 
additional ".sig" file extension. Further more, the signatures are 
wrapped withing one another, so that to verification would require 
serial verification of each preceding outer layer signature. What I've 
been refining during the last couple days uses a command line script to 
append additional detached signatures into a single signature file. This 
approach models more directly the co-signature concept of legacy 
contracts, i.e., think of buying a house -- you and you spouse are 
co-signators rather than having one sign the contract and the other sign 
the others signature. What you suggested models the concept of a notary 
public witnessing a signature, but that we already have by signing 
public keys in the trust model.

More information about the Gnupg-users mailing list