Signing keys on a low-entropy system

Peter Lebbing peter at
Fri Nov 8 19:01:34 CET 2013

On 08/11/13 18:07, Tapio Sokura wrote:
> Another thing is that some signature schemes that use RSA also add
> random padding data into the data that is being signed, but I don't
> think signatures in PGP do that. I may be wrong though, haven't combed
> through the PGP specs thoroughly.

Nope, OpenPGP uses EMSA-PKCS1-v1_5, which is completely deterministic.

I /think/ GnuPG doesn't need any randomness for RSA signatures.

I moved my random_seed file, and performed the following steps:
- Extend the expiration date on an RSA testkey that was expired[1]
- Sign a testfile
- Verify the signature; this launched a trustdb check since I had edited the key

And no new random_seed was ever generated. Then I tried encrypting to that key
(after having extended the expiry date of the subkey as well), and now a
random_seed was generated.

So my guess is that indeed, RSA signatures do not use randomness. And that as
soon as you use randomness, a random_seed file will be created.

In fact, I seem to get the same results when not removing my old random_seed,
but simply by looking at the modification time of the file: it will not be
touched when randomness isn't used.

Obviously, this is all conjecture.



[1] Format: primary 2048R has SC capabilities, sub 2048R has E.

I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list