Storing custom signed data in the key

Daniel Kahn Gillmor dkg at
Wed Aug 28 01:17:13 CEST 2019

Hi Tomasz--

On Sat 2019-08-17 18:45:24 +0200, Tomasz Buchert wrote:

> what would be the most "canonical" way to store arbitrary, signed data
> along the gpg key? And then: what is the programmatic way of extracting
> said data?
> My specific usecase is putting a signify [1] public key inside my GPG
> key, so that I can leverage key distribution to push my signify key.

As i understand it, signify uses ed25519 public keys.

For this specific use case, i'd recommend attaching your signify public
key as a signing-capable subkey directly to your OpenPGP
certificate.  Or, if you don't want it to look like it's signing-capable
for the purposes of OpenPGP signing, you could attach it as a subkey
with an empty key flags subpacket.

If you want to include a notation that indicates that this key is for
use with signify specifically, you could then include a notation in the
subkey binding signature.

This seems like the most prinicipled way to include the key in your
OpenPGP certificate, and the best way to avoid having people get
confused about third-party certification claims, since third-parties
can't attach subkeys.

Doing this specifically would require some conversion capability between
the signify format and the OpenPGP format for Ed25519 keys.  I haven't
tried to do that, but if it's something that you're interested in, i'd
be happy to look at it with you.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list