Generate digest and signature seperately

Jerome Baum jerome at
Tue Jun 14 02:42:56 CEST 2011

On Tue, Jun 14, 2011 at 02:31, Kerrick Staley <mail at> wrote:
> Just to make sure that I'm understanding this, a complete PGP signature does
> not embed information about whether it is the signature of a file or the
> signature of a certificate, so it's a bad idea to sign a remotely generated
> digest?

It does, and the hash it signs is generated from that (key) data
prefixed with a string that differs between certs and data sigs.

Jerome Baum
tel +49-1578-8434336
email jerome at
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA

More information about the Gnupg-users mailing list