per-user data signatures [was: Re: multiple keys vs multiple identities]

David Shaw dshaw at
Fri Sep 24 17:53:17 CEST 2010

On Sep 24, 2010, at 11:23 AM, Daniel Kahn Gillmor wrote:

> On 09/24/2010 10:30 AM, Simon Richter wrote:
>> Of course. I was talking about data signatures, i.e. "I'm signing this
>> with my work hat on".
> ah, gotcha.  sorry for the misunderstanding.
>> The main use case I have is my Debian work -- when I sign a .changes
>> file, the Debian archive will accept it, even if the package in question
>> was really intended for another repository (where I use the same key for
>> authentication).
>> As my main key is well-established in the WoT, I'd like to use the
>> existing connections to get a trust path; however using the key directly
>> leads to the problem that the signature can be interpreted in multiple
>> ways.
> yeah, this makes sense.  in the context of debian packaging, the
> material signed is relevant.  if your changelog says "unstable" then
> debian will accept it.  if you're uploading it to some other repo, that
> repo would presumably be named something other than "unstable".
> fwiw, it wouldn't be difficult to propose such a notation, and it should
> be possible to implement it quickly in debsign using gpg's --set-notation.

There is actually a defined field for this in OpenPGP (see section, Signer's User ID).  I don't think anyone implements it though.

> However, testing right now, it doesn't seem to work with gpg for regular
> data signatures:
> echo test | gpg --sign --set-notation 'test at' | \
>  gpg --list-packets
> does not show the notation :(

It works for me.  I even cut and paste your exact command line.

	hashed subpkt 20 len 28 (notation: test at


More information about the Gnupg-users mailing list