Signatures stored as information inside a "public key"/certificate?

bezna george.davidescu at
Fri Jun 13 17:07:12 CEST 2008


I'm having a disagreement with someone over this. From what I've read,
signatures on a "public key" or rather, a certificate, including the
self-signature, are stored as a packet on that key. The important point:
This data (IE all the signatures made on your certificate) is encoded on the
certificate within that block of ASCII armoured text/binary data when it is
exported for someone else to import in their keyring. 

Now I'm being told that signatures are not part of the certificate itself,
but rather as data on the keyring, and that the "export" command in fact
exports this additional data from your keyring and somehow attaches it to
the public key to produce the ASCII armoured output or whatever. Similarily,
I'm being told that when you upload your keys to a keyserver, what is in
fact uploaded is your "keyring" and that this is where the signature data
comes from.

To me the latter view is false. I see the list of signatures as being a
component of the certificates stored within the certificate, not somewhere
else. When keys are uploaded to a server, you can filter out which keys you
want uploaded; the notion of a "public keyring" to me is simply a set of
public keys (certificates), with no extra data attached, or at least not the
signatures. While it is possible to export multiple certificates at once in
one block of text, this text contains just those certificates, not some
"keyring" or meta-entity; the certificates then contain their respective
signature data.

Which is correct? Are signatures an inherent part of the key or are they
stored extrinsically?

View this message in context:
Sent from the GnuPG - User mailing list archive at

More information about the Gnupg-users mailing list