detached signature, "can't hash datafile: No data"

Sami Badri sami.badri at
Sat Jan 1 20:01:52 CET 2022

On 12/31/21 23:12, Robert J. Hansen via Gnupg-users wrote:

>> Shouldn't I be able to verify the signature independently?
> Why?
> A signature is a piece of data that attests another piece of data is 
> unchanged.  If it doesn't have a second piece of data to compare to, 
> all it can say is "I have a good digital signature that attests to a 
> hash value of XYZ for some piece of data, but, uh ... where's the data?"

Makes sense.  I see my mistake.  I was practicing on my own created 
signatures on my own files.  So I was able to verify my own .sig because..

gpg: assuming signed data in '/Users/samibadri/desktop/cryptcommands.txt'
gpg: Signature made Sat Jan  1 13:06:36 2022 EST
gpg:                using RSA key 5CD9A3BC1577A0FDB8B11CD02DE90FECE5438DA0
gpg: Good signature from "SamiB (pgp key pair #1) 
<sami.badri at>" [ultimate]

> Detached signatures (clearsign signatures being one kind of them) do 
> not include the original data.  You can sign gigabytes of data and the 
> detached signature will still be only a few hundred bytes in size, 
> because the original data isn't there.
I would've thought that a clearsign signature preserves the data above 
the pgp signature, in plaintext.  Isn't the plaintext above the 
signature the original data?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Gnupg-users mailing list