Generate digest and signature seperately

Jerome Baum jerome at
Mon Jun 13 19:05:27 CEST 2011

> We had a discussion about smart-card signatures here and basically the
> issue with passing just a hash is that you can't distinguish data
> signatures from certifications/key signatures.

To clarify, you can't tell from the hash, and you can't really add a
packet "I'm signing data here" vs. "I'm signing a key here". At least
that's what I got from the discussion on smart-cards, YMMV when it
comes to a full-blown gnupg install.

Of course, you could solve this problem by signing with a sub-key,
which isn't meant to certify other keys. I do wonder how e.g. PGP
would react on seeing a key certification from a sub-key.

Jerome Baum
tel +49-1578-8434336
email jerome at
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA

More information about the Gnupg-users mailing list