Multiple signatures

pjemen pjemen at
Tue Oct 11 13:55:45 CEST 2011

On 3. 10. 2011 23:59, David Shaw wrote:
> On Oct 3, 2011, at 1:49 PM, pet jemen wrote:
>> Hi,
>> I want to sign binary data in OpenPGP Message Format.
>> I want sign it by two or more keys.
>> According to it seems it is possible.
>>   (A one-octet number holding a flag showing whether the signature is nested.  A zero value indicates that the next packet is another One-Pass Signature packet that describes another signature to be applied to the same message data.)
>> I'd like to use gpg from command-line to sign an input file by two keys.
>> I tried to sign it by:
>>     gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u "test1 (test1)<test1 at>" -o %1.signed --sign %1
>>     gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u "test2 (test2)<test2 at>" -o %1.signed2 --sign %1.signed
>> But the second signature signed the first one also with the first signature.
>> I need to sign it in way were I can verify signature of signed data by both keys (the last octet of One-Pass Signature Packets (Tag 4) packet should be equal to zero).
> Just repeat -u as many times as you need:
>    gpg -u the-first-key -u the-second-key -u the-third-key -u etc --sign thefile
> David
Thank you for your advice.

It is exactly what I was looking for.
I've few more questions.

Reason why I want sign files this way is to maintain compatibility and 
add additional signature for verifying.
I'd like to sign file in batch mode this way.

gpg2.exe --batch --quiet --yes --force-v3-sigs -z 0 --s2k-digest-algo 
SHA-1 --passphrase-file %passFile1% -u "t0001 <t0001 at>" 
--s2k-digest-algo SHA512 --passphrase-file %passFile2% -u "t0002 
<t0002 at>" -o %1.signed --sign %1

It sees that pgp doesn't take password from files if I sign by multiple 
If I sign files just by one key it works.
Is there a way how to sign file with multiple signatures by two commands 
and to get the same OpenPgp binary format?

Other problem I've noticed when I signed file in non-batch mode is that
I’ve specified to use SHA512 for second signature.
Problem is that the 3rd octed of One-Pass Signature Packetbodyin signed 
file is 0x08 which is sha256 according

Any ideas why there isn't 0x0a?

Any help is welcome.

Pavol Misik

More information about the Gnupg-users mailing list