Storing custom signed data in the key
wiktor at metacode.biz
Sat Aug 17 22:19:43 CEST 2019
> what would be the most "canonical" way to store arbitrary, signed data
> along the gpg key? And then: what is the programmatic way of extracting
> said data?
> sig!3 N KEYID 2019-08-17 User Example <user at example.com>
> Signature notation: pub at signify=SIGNIFYKEY
> Does it make sense? Is it a good idea? What would be a better way?
Yep, that definitely makes sense and notations are a good way to store
additional data. The only problem here is how to get the notation values
programmatically in a way that you know the self-signature is valid.
Sadly "gpg --list-options show-notations --with-colons --list-keys $KEY"
does not print the notation output.
I did use OpenPGP.js to verify signature and extract notations for a
small project of mine (https://metacode.biz/openpgp/proofs example here:
https://metacode.biz/@wiktor ) but I understand you want to keep the
dependencies to the minimum.
Maybe you could use GpgME, the docs look promising:
> The signature notations on a key signature are only available if the
key was retrieved via a listing operation with the
GPGME_KEYLIST_MODE_SIG_NOTATIONS mode enabled, because it can be
expensive to retrieve all signature notations.
One minor thing, you may want to adjust the notation name (key). RFC
4880 advises e-mail-like key where the domain is a name you control. So
for example "pub-signify at debian.org" if you control "debian.org".
Additionally it would be nice to have the e-mail redirect to a human in
case someone sends the message there.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 890 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users