Difference between clearsign and detached signatures?

Ingo Klöcker kloecker at kde.org
Sat Aug 30 23:20:47 CEST 2014


On Thursday 28 August 2014 22:53:52 TJ wrote:
> I've recently been digging deep into the source-code trying to
> understand what the differences are between --clearsign and
> --detach-sign signatures.
> 
> This came about whilst writing code that calls on "gpg --verify" on
> detached signatures; specifically Debian APT archives that contain
> "Release" (plaintext) and "Release.gpg" (detached signature).
> 
> The aim/hope was to combine the plaintext and detached signature into
> the armored clearsign format and thus avoid needing to write one of
> them to the file-system (the other can be supplied via stdin).

You can probably use another approach than trying to create a 
clearsigned text from a signed text and its detached signature. On the 
command line one can provide both, the detached signature and the signed 
text, one after the other via stdin by running

gpg --verify - -

You need to separate the detached signature and the signed stuff with an 
EOT, e.g. on the console first you enter the armored detached signature 
and terminate it with Ctrl+D, then you enter the signed text and 
terminate it with Ctrl+D.


BTW, which language do you want to write the code in?


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140830/6df39788/attachment.sig>


More information about the Gnupg-users mailing list