understanding GnuPG "--clearsign" option

David Shaw dshaw at jabberwocky.com
Tue Aug 13 00:25:06 CEST 2013

On Aug 12, 2013, at 4:40 AM, Martin T <m4rtntns at gmail.com> wrote:

> Hi,
> one can sign the message with "--clearsign" option which adds ASCII
> armored(Radix-64 encoding) "PGP signature" at the end of the text.
> This "PGP signature" contains the UID of the signer, timestamp and key
> ID. However, two questions:
> 1) Where is the UID of the signer, timestamp of the signature and
> signer key-ID stored? If I execute "gpg2 --verify file.asc", then I'm
> able to see the UID of the signer, timestamp and signer key-ID, but if
> I decode the Radix-64/base64 data back to binary(base64 -d) and use
> "hexdump -C" to analyze this data, I do not see the UID, timestamp or
> signer key-ID.

The timestamp and the signer's key ID are both present in the binary blob.  The signer's user ID is not, as GPG is using the signer's key ID to look up the signer's key and shows the user ID from there.

> 2) What exactly is this "PGP signature"? Is it a SHA1 hash of the
> message which is encrypted with my private key and then ASCII armored?

It's not always SHA-1, and there are other things included in the hash, but at a very high level, this is basically accurate.  The exact construction of a signature and how the input is calculated is given in RFC-4880, the OpenPGP specification.


More information about the Gnupg-users mailing list