Re: --verify --status-fd separator for multiple signatures?

[Werner Koch]

On Fri, 20 Mar 2015 19:41, patrick-mailingli...@whonix.org said:

> Well, I don't speak C, so I can't make head or tail of "what we do in
> gpgme/src/verify.c".

You should still be able to follow the control flow.  That is not
different from any pseudo code.

> Is there a complete list of all possible start/end keyword combinations?

As, I said, checkout gpgme: 

  switch (code)
{
case GPGME_STATUS_NEWSIG:
  if (sig)
calc_sig_summary (sig);

NEWSIG has been seen: Finalize the output for the current signature if any.

  err = prepare_new_sig (opd);

  opd->only_newsig_seen = 1;

Get ready for a new signature.  That is the helpful feature of NEWSIG.
Note that there is no guarantee that a signature will follow: I maybe
garbled or remove and gpg won't get to the actual verification.

case GPGME_STATUS_GOODSIG:
case GPGME_STATUS_EXPSIG:
case GPGME_STATUS_EXPKEYSIG:
case GPGME_STATUS_BADSIG:
case GPGME_STATUS_ERRSIG:
case GPGME_STATUS_REVKEYSIG:
  if (sig && !opd->did_prepare_new_sig)
calc_sig_summary (sig);

If we have a signature and we are not yet preparing for a new signature
(i.e. have not called prepare_new-sig): Finalize the output for the
current signature

  opd->only_newsig_seen = 0;

Clear flag for NEWSIG seen.

  return parse_new_sig (opd, code, args, ctx->protocol);

Do something with the signature.  This fucntion calls prepare_new_sig if
not yet done.

case GPGME_STATUS_VALIDSIG:
  opd->only_newsig_seen = 0;
  return sig ? parse_valid_sig (sig, args, ctx->protocol)
: trace_gpg_error (GPG_ERR_INV_ENGINE);

VALIDSIG is the modern version of GOODSIG.  Take care of it.


case GPGME_STATUS_NODATA:
  opd->only_newsig_seen = 0;

Forget about NEWSIG.  The code in GPGME requires this here and for
several other status messages.

case GPGME_STATUS_EOF:
  if (sig && !opd->did_prepare_new_sig)
calc_sig_summary (sig);
  if (opd->only_newsig_seen && sig)
{
  gpgme_signature_t sig2;
  /* The last signature has no valid information - remove it
 from the list. */

On EOF finalize the last signature.  If a NEWSIG has neen seen remove
the prepared information.

Proper verification is a bit complicate if you need to do this in the
most general way.  You can get away much easier in many cases.  For
example VALIDSIG gives you all the information about correctly verified
signatures.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: --verify --status-fd separator for multiple signatures?

[Patrick Schleizer]

Werner Koch:
> On Thu, 19 Mar 2015 18:39, patrick-mailingli...@whonix.org said:
> 
>> when using --verify combined with --status-fd [or --status-file], how
>> can one notice in scripts, that processing the one signature is done and
>> that further status-fd messages belong to the next message?
> 
> That is unfortunately a bit complicated due to different behaviour in
> gpgsm and gpg.  I suggest to do what we do in gpgme/src/verify.c .  Of
> course if would be useful to make sure that NEWSIG is also emitted by
> gpg but you also need to take care of older gpg versions.
> 
> I assume adding NEWSIG to gpg has simply be forgotten.

Well, I don't speak C, so I can't make head or tail of "what we do in
gpgme/src/verify.c".

Maybe let's put it this way. If there is no guarantee to get a NEWSIG or
other separator... Is there a limited combination of start and end keywords?

What I mean... Here is an example...

start: [GNUPG:] ERRSIG [...]
end__: [GNUPG:] NODATA [...]

start: [GNUPG:] SIG_ID [...]
end__: [GNUPG:] TRUST_[...]

start: [GNUPG:] ERRSIG [...]
end__: [GNUPG:] NO_PUBKEY [...]

Is there a complete list of all possible start/end keyword combinations?

Cheers,
Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: --verify --status-fd separator for multiple signatures?

[Patrick Schleizer]

Doug Barton:
> On 3/19/15 10:39 AM, Patrick Schleizer wrote:
>> Hi,
>>
>> when using --verify combined with --status-fd [or --status-file], how
>> can one notice in scripts, that processing the one signature is done and
>> that further status-fd messages belong to the next message?
> 
> You are using --with-colons, right?

No. Using --status-file. --with-colons does not seem to affect that.

Cheers,
Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: --verify --status-fd separator for multiple signatures?

[Werner Koch]

On Thu, 19 Mar 2015 18:39, patrick-mailingli...@whonix.org said:

> when using --verify combined with --status-fd [or --status-file], how
> can one notice in scripts, that processing the one signature is done and
> that further status-fd messages belong to the next message?

That is unfortunately a bit complicated due to different behaviour in
gpgsm and gpg.  I suggest to do what we do in gpgme/src/verify.c .  Of
course if would be useful to make sure that NEWSIG is also emitted by
gpg but you also need to take care of older gpg versions.

I assume adding NEWSIG to gpg has simply be forgotten.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: --verify --status-fd separator for multiple signatures?

[Doug Barton]

On 3/19/15 10:39 AM, Patrick Schleizer wrote:

Hi,

when using --verify combined with --status-fd [or --status-file], how
can one notice in scripts, that processing the one signature is done and
that further status-fd messages belong to the next message?


You are using --with-colons, right?


--
I am conducting an experiment in the efficacy of PGP/MIME signatures. 
This message should be signed. If it is not, or the signature does not 
validate, please let me know how you received this message (direct, or 
to a list) and the mail software you use. Thanks!




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

--verify --status-fd separator for multiple signatures?

[Patrick Schleizer]

Hi,

when using --verify combined with --status-fd [or --status-file], how
can one notice in scripts, that processing the one signature is done and
that further status-fd messages belong to the next message?

I mean, sometimes it shows SIG_ID, but not in case of ERRSIG.

So is there some line / separator that can be reliably used?

Cheers,
Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple signatures

[Werner Koch]

On Tue, 11 Oct 2011 13:55, pje...@gmail.com said:

> Other problem I've noticed when I signed file in non-batch mode is that
> I’ve specified to use SHA512 for second signature.

You didn't.  What you did is to specify an S2K hash algorithm which is
used to turn passphrases into keys.  Further it is not possible to
change the algorithms for each key.  You may be better off not to tinker
around with algorithm options if you don't have a close understanding of
how they work.  GnuPG has sensible defaults and a preference system to
select algorithms.

Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple signatures

[pjemen]

On 3. 10. 2011 23:59, David Shaw wrote:

On Oct 3, 2011, at 1:49 PM, pet jemen wrote:


Hi,

I want to sign binary data in OpenPGP Message Format.
I want sign it by two or more keys.
According to http://tools.ietf.org/html/rfc4880#section-5.4 it seems it is 
possible.
  (A one-octet number holding a flag showing whether the signature is nested.  
A zero value indicates that the next packet is another One-Pass Signature 
packet that describes another signature to be applied to the same message data.)

I'd like to use gpg from command-line to sign an input file by two keys.
I tried to sign it by:
gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u "test1 
(test1)" -o %1.signed --sign %1
gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u "test2 
(test2)" -o %1.signed2 --sign %1.signed

But the second signature signed the first one also with the first signature.
I need to sign it in way were I can verify signature of signed data by both 
keys (the last octet of One-Pass Signature Packets (Tag 4) packet should be 
equal to zero).

Just repeat -u as many times as you need:

   gpg -u the-first-key -u the-second-key -u the-third-key -u etc --sign thefile

David


Thank you for your advice.

It is exactly what I was looking for.
I've few more questions.

Reason why I want sign files this way is to maintain compatibility and 
add additional signature for verifying.

I'd like to sign file in batch mode this way.

gpg2.exe --batch --quiet --yes --force-v3-sigs -z 0 --s2k-digest-algo 
SHA-1 --passphrase-file %passFile1% -u "t0001 " 
--s2k-digest-algo SHA512 --passphrase-file %passFile2% -u "t0002 
" -o %1.signed --sign %1


It sees that pgp doesn't take password from files if I sign by multiple 
keys.

If I sign files just by one key it works.
Is there a way how to sign file with multiple signatures by two commands 
and to get the same OpenPgp binary format?


Other problem I've noticed when I signed file in non-batch mode is that
I’ve specified to use SHA512 for second signature.
Problem is that the 3rd octed of One-Pass Signature Packetbodyin signed 
file is 0x08 which is sha256 according 
http://tools.ietf.org/html/rfc4880#section-9.4


Any ideas why there isn't 0x0a?

Any help is welcome.

Pavol Misik

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple signatures

[Doug Barton]

On 10/03/2011 14:39, Aaron Toponce wrote:
> On Mon, Oct 03, 2011 at 07:49:21PM +0200, pet jemen wrote:
>> I want to sign binary data in OpenPGP Message Format.
>> I want sign it by two or more keys.
>> According to http://tools.ietf.org/html/rfc4880#section-5.4 it seems it is
>> possible.
>>  (A one-octet number holding a flag showing whether the signature is
>> nested.  A zero value indicates that the next packet is another One-Pass
>> Signature packet that describes another signature to be applied to the same
>> message data.)
>>
>> I'd like to use gpg from command-line to sign an input file by two keys.
>> I tried to sign it by:
>>gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u "test1 (test1) <
>> te...@test1.org>" -o %1.signed --sign %1
>>gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u "test2 (test2) <
>> te...@test2.org>" -o %1.signed2 --sign %1.signed
>>
>> But the second signature signed the first one also with the first signature.
>> I need to sign it in way were I can verify signature of signed data by both
>> keys (the last octet of One-Pass Signature Packets (Tag 4) packet should be
>> equal to zero).
> 
> You should use detached signatures:
> 
> $ gpg -b -u $KEYID1 file.txt > sig1.gpg
> $ gpg -b -u $KEYID2 file.txt > sig2.gpg
> 
> At this point, just concatenate the two detached sigs:
> 
> $ cat sig1.gpg sig2.gpg > signatures.gpg

Wouldn't it be easier to just use >>


:)

Doug

-- 

Nothin' ever doesn't change, but nothin' changes much.
-- OK Go

Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price.  :)  http://SupersetSolutions.com/


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple signatures

[David Shaw]

On Oct 3, 2011, at 1:49 PM, pet jemen wrote:

> Hi,
> 
> I want to sign binary data in OpenPGP Message Format.
> I want sign it by two or more keys.
> According to http://tools.ietf.org/html/rfc4880#section-5.4 it seems it is 
> possible.
>  (A one-octet number holding a flag showing whether the signature is nested.  
> A zero value indicates that the next packet is another One-Pass Signature 
> packet that describes another signature to be applied to the same message 
> data.)
> 
> I'd like to use gpg from command-line to sign an input file by two keys.
> I tried to sign it by:
>gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u "test1 (test1) 
> " -o %1.signed --sign %1
>gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u "test2 (test2) 
> " -o %1.signed2 --sign %1.signed
> 
> But the second signature signed the first one also with the first signature.
> I need to sign it in way were I can verify signature of signed data by both 
> keys (the last octet of One-Pass Signature Packets (Tag 4) packet should be 
> equal to zero).

Just repeat -u as many times as you need:

  gpg -u the-first-key -u the-second-key -u the-third-key -u etc --sign thefile

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Multiple signatures

[pet jemen]

Hi,

I want to sign binary data in OpenPGP Message Format.
I want sign it by two or more keys.
According to http://tools.ietf.org/html/rfc4880#section-5.4 it seems it is
possible.
 (A one-octet number holding a flag showing whether the signature is
nested.  A zero value indicates that the next packet is another One-Pass
Signature packet that describes another signature to be applied to the same
message data.)

I'd like to use gpg from command-line to sign an input file by two keys.
I tried to sign it by:
   gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u "test1 (test1) <
te...@test1.org>" -o %1.signed --sign %1
   gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u "test2 (test2) <
te...@test2.org>" -o %1.signed2 --sign %1.signed

But the second signature signed the first one also with the first signature.
I need to sign it in way were I can verify signature of signed data by both
keys (the last octet of One-Pass Signature Packets (Tag 4) packet should be
equal to zero).

Any help how to achieve from pgp command line is welcome.

Thanks.

Pavol Misik
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg --verify behaves differently when multiple signatures present with --batch

[Daniel Kahn Gillmor]

when i have a set of OpenPGP signatures bundled together which have
different validities, it looks like gpg behaves differently depending on
if --batch is set or not.

In particular, an invalid signature seems to terminate the entire
--verify process (skipping later valid signatures) when --batch is set,
but it does not terminate the verification process otherwise.

Attached are two files: one is a simple shell script to demonstrate the
problem (with embedded data and signature material), and a fake key used
in the demonstrations.

When i run it, i get the following output (AB means the good sig from
the fake key occurs first, BA means the bad sig from my own key
(D21739E9) happens first:

> 0 d...@pip:~/src/gmimetest/gmimetest$ ./demonstrate-flip
> Testing without --batch:
>  ==AB== 
> [GNUPG:] SIG_ID 8Dv9B4/7/rdjgFrLYlRGhj31b3o 2010-11-21 1290318596
> [GNUPG:] GOODSIG FAF286F977F50B3B fake user 
> [GNUPG:] VALIDSIG FCD3E0AFA74EE527C61E0D34FAF286F977F50B3B 2010-11-21 
> 1290318596 0 4 0 1 10 01 FCD3E0AFA74EE527C61E0D34FAF286F977F50B3B
> [GNUPG:] TRUST_UNDEFINED
> [GNUPG:] BADSIG CCD2ED94D21739E9 Daniel Kahn Gillmor 
>  ==BA== 
> [GNUPG:] BADSIG CCD2ED94D21739E9 Daniel Kahn Gillmor 
> [GNUPG:] SIG_ID 8Dv9B4/7/rdjgFrLYlRGhj31b3o 2010-11-21 1290318596
> [GNUPG:] GOODSIG FAF286F977F50B3B fake user 
> [GNUPG:] VALIDSIG FCD3E0AFA74EE527C61E0D34FAF286F977F50B3B 2010-11-21 
> 1290318596 0 4 0 1 10 01 FCD3E0AFA74EE527C61E0D34FAF286F977F50B3B
> [GNUPG:] TRUST_UNDEFINED
> Testing with --batch:
>  ==AB== 
> [GNUPG:] SIG_ID 8Dv9B4/7/rdjgFrLYlRGhj31b3o 2010-11-21 1290318596
> [GNUPG:] GOODSIG FAF286F977F50B3B fake user 
> [GNUPG:] VALIDSIG FCD3E0AFA74EE527C61E0D34FAF286F977F50B3B 2010-11-21 
> 1290318596 0 4 0 1 10 01 FCD3E0AFA74EE527C61E0D34FAF286F977F50B3B
> [GNUPG:] TRUST_UNDEFINED
> [GNUPG:] BADSIG CCD2ED94D21739E9 Daniel Kahn Gillmor 
>  ==BA== 
> [GNUPG:] BADSIG CCD2ED94D21739E9 Daniel Kahn Gillmor 
> 0 d...@pip:~/src/gmimetest/gmimetest$ 


And if i use a test user that doesn't actually have a copy of D21739E9
in its keyring, then i get feedback from both signatures even in order
BA with --batch (i suppose because the keyring can't tell that the
signature for D21739E9 is bad).

I see no good reason for --batch to cause gpg to terminate on the  first
badsig it sees, and no documentation justifying this behavior, so it
seems like a bug to me.

I tested this with gpg 1.4.11 and 2.0.14 on i386 GNU/Linux systems
running the current debian testing (gpg itself from debian's
experimental archive)

Regards,

--dkg
#!/bin/bash


ab=$(mktemp signature.ab.XXX)
if [ $? != 0 ]; then
   exit 1
fi
ba=$(mktemp signature.ba.XXX)
if [ $? != 0 ]; then
   exit 1
fi
data=$(mktemp data.XXX)
if [ $? != 0 ]; then
   exit 1
fi

cat >>"$data" <>"$ab" <>"$ba" /dev/null

echo "Testing with --batch:"

echo " ==AB== "
gpg --batch --status-fd 1 --quiet --no-tty --verify "$ab" "$data" 2>/dev/null
echo " ==BA== "
gpg --batch --status-fd 1 --quiet --no-tty --verify "$ba" "$data" 2>/dev/null



rm -f "$data"
rm -f "$ab"
rm -f "$ba"
-BEGIN PGP PUBLIC KEY BLOCK-
Version: GnuPG v1.4.11 (GNU/Linux)

mI0ETOiY+QEEAKSVytin0iJzcrUH99CBhUGfp0OHaYhLADFGRrEtIwxLkicjnuOf
co/cU3NVEdH/w7iZWzHL79dupbBvvOzvG+/h1xXsiBm0wjq5pdS3tH3zn8eRyjHt
8FprjvIAdHjz0kM49FCe3LHB1uktCW9UgwE1/29A5qyLBmcO+ARW74PfABEBAAG0
HGZha2UgdXNlciA8ZmFrZUBleGFtcGxlLm9yZz6IvQQTAQoAJwUCTOiY+QIbAwUJ
AAk6gAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRD68ob5d/ULOz9BBACdYgGu
76x0BU1njWipxuZnIPIN8SlJbNo6p9YZnK0Y2bEa84DF5zSH1IV7D1vwWYuJWJvB
pQBvoyXK0Xdn8g1EKhLYojr6JHcODmMGbB0QOBB8W2ofyYkix33ZeqCWLC+tvzot
KGGPZahTusrAw4hnvcZjh34DCYIgQLXuDeeCCw==
=Uy4v
-END PGP PUBLIC KEY BLOCK-


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple signatures

[Robert J. Hansen]

On 6/18/10 3:39 PM, ved...@nym.hush.com wrote:
>> gpg --armor -u signer -u signer2 -u signer3 --clearsign filename
> 
> no.
> 
> 6.5.8 and 6.5.8 ckt will crash only when trying to verify multiple 
> signatures of the same text when *clearsigned*.

Perhaps I'm in error here, but -- isn't a clearsign the command I specified?



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple signatures

[Boris]

Ok, Thanks David,

But what if the file is signed by people working on different computers?
So they will had their signature on the current separate file
(correesponding to the people who already signed a specific file).

Koushkov

2010/6/18 David Shaw 

> On Jun 17, 2010, at 11:33 PM, Boris wrote:
>
> > Hi,
> >
> > I would like to know if there is a way to add multiple signatures for a
> file (in a separate file) and check who signed with just one command (so not
> by signing a signed file...).
>
> Sure.
>
>   gpg -u signer_1 -u signer_2 -u signer_3 --detach-sign file-to-sign
>
> You'll end up with a file-to-sign.sig that contains all three signatures.
>  When you verify file-to-sign.sig, all three signatures will be checked.
>
> Alternately, you can do the same "multiple signer" trick with regular
> --sign if you want the data and signatures to be put together into a single
> file.
>
> David
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple signatures

[Boris]

Thank you very much David
It is exactly what I wanted

2010/6/18 David Shaw 

> > On Jun 17, 2010, at 11:33 PM, Boris wrote:
> >
> > > Hi,
> > >
> > > I would like to know if there is a way to add multiple signatures for a
> file (in a separate file) and check who signed with just one command (so not
> by signing a signed file...).
> >
> > Sure.
> >
> >   gpg -u signer_1 -u signer_2 -u signer_3 --detach-sign file-to-sign
> >
> > You'll end up with a file-to-sign.sig that contains all three signatures.
>  When you verify file-to-sign.sig, all three signatures will be checked.
> >
> > Alternately, you can do the same "multiple signer" trick with regular
> --sign if you want the data and signatures to be put together into a single
> file.
>
> On Jun 18, 2010, at 9:14 AM, Boris wrote:
>
> > Ok, Thanks David,
> >
> > But what if the file is signed by people working on different computers?
> > So they will had their signature on the current separate file
> (correesponding to the people who already signed a specific file).
>
> If you want a bunch of people all signing the same file, have each signer
> do this:
>
> gpg -u signer-X -o signer-X-signature --detach-sign file-to-sign
>
> Then have them all send you their "file-to-sign.sig" files.  You create a
> file containing all of them:
>
> cat signer-1-signature signer-2-signature signer-3-signature >
> file-to-sign.sig
>
> Then anyone can verify file-to-sign.sig against the original file-to-sign
> and see all the signatures verified.
>
> David
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple signatures

[vedaal]

Robert J. Hansen rjh at sixdemonbag.org wrote on
Fri Jun 18 14:13:56 CEST 2010 :


>> I would like to know if there is a way to add multiple 
>signatures for a
>> file (in a separate file) and check who signed with just one 
>command (so
>> not by signing a signed file...).
>
>
>gpg --armor -u signer -u signer2 -u signer3 --clearsign filename
>
>Warning: these signatures will break old versions of PGP.  6.5.8 
>and the
>6.5.8CKT builds will crash when trying to verify them.


no.

6.5.8 and 6.5.8 ckt will crash only when trying to verify multiple 
signatures of the same text when *clearsigned*.

Verifying 'Multiple simultaneous signatures' done in armored signed 
format, or in signed and encrypted format, or as detached 
signatures, will not cause any problem for 6.5.8, 6.5.8 ckt, or 
6.5.8 commandline.


vedaal


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple signatures

[David Shaw]

> On Jun 17, 2010, at 11:33 PM, Boris wrote:
> 
> > Hi,
> >
> > I would like to know if there is a way to add multiple signatures for a 
> > file (in a separate file) and check who signed with just one command (so 
> > not by signing a signed file...).
> 
> Sure.
> 
>   gpg -u signer_1 -u signer_2 -u signer_3 --detach-sign file-to-sign
> 
> You'll end up with a file-to-sign.sig that contains all three signatures.  
> When you verify file-to-sign.sig, all three signatures will be checked.
> 
> Alternately, you can do the same "multiple signer" trick with regular --sign 
> if you want the data and signatures to be put together into a single file.

On Jun 18, 2010, at 9:14 AM, Boris wrote:

> Ok, Thanks David,
>  
> But what if the file is signed by people working on different computers?
> So they will had their signature on the current separate file (correesponding 
> to the people who already signed a specific file).

If you want a bunch of people all signing the same file, have each signer do 
this:

gpg -u signer-X -o signer-X-signature --detach-sign file-to-sign

Then have them all send you their "file-to-sign.sig" files.  You create a file 
containing all of them:

cat signer-1-signature signer-2-signature signer-3-signature > file-to-sign.sig

Then anyone can verify file-to-sign.sig against the original file-to-sign and 
see all the signatures verified.

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple signatures

[David Shaw]

On Jun 17, 2010, at 11:33 PM, Boris wrote:

> Hi,
>  
> I would like to know if there is a way to add multiple signatures for a file 
> (in a separate file) and check who signed with just one command (so not by 
> signing a signed file...).

Sure.

   gpg -u signer_1 -u signer_2 -u signer_3 --detach-sign file-to-sign

You'll end up with a file-to-sign.sig that contains all three signatures.  When 
you verify file-to-sign.sig, all three signatures will be checked.

Alternately, you can do the same "multiple signer" trick with regular --sign if 
you want the data and signatures to be put together into a single file.

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple signatures

[Robert J. Hansen]

On 6/17/10 11:33 PM, Boris wrote:
> Hi,
>  
> I would like to know if there is a way to add multiple signatures for a
> file (in a separate file) and check who signed with just one command (so
> not by signing a signed file...).


gpg --armor -u signer -u signer2 -u signer3 --clearsign filename

Warning: these signatures will break old versions of PGP.  6.5.8 and the
6.5.8CKT builds will crash when trying to verify them.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Multiple signatures

[Boris]

Hi,

I would like to know if there is a way to add multiple signatures for a file
(in a separate file) and check who signed with just one command (so not by
signing a signed file...).

Thanks,

Koushkov
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Extracting a single signature from a file containing multiple signatures

[Derek Price]

David Shaw wrote:

>Yes, and yes.
>
>To separate signatures, use 'gpgsplit', which comes with gpg.  You'll
>end up with each signature in its own file.
>
>The documentation of the signature file format is in RFC-2440:
>http://www.ietf.org/rfc/rfc2440.txt
>  
>

Thank you very much.  That will be useful.  Is there some way I can
extract signature information from individual signatures without running
gpg --verify?  i.e. key ID, date, anything else that is available when
the signed data may not be?

Regards,

Derek

-- 
Derek R. Price
CVS Solutions Architect
Ximbiot 
v: +1 717.579.6168
f: +1 717.234.3125




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Extracting a single signature from a file containing multiple signatures

[David Shaw]

On Wed, Sep 21, 2005 at 11:52:08AM -0400, Derek Price wrote:
> Say `gpg --detach-sign' were used to create several detached signatures
> and they were concatenated into the same file.  Is there a simple way to
> separate those signatures again?  Is there documentation of the gpg
> signature file format online?

Yes, and yes.

To separate signatures, use 'gpgsplit', which comes with gpg.  You'll
end up with each signature in its own file.

The documentation of the signature file format is in RFC-2440:
http://www.ietf.org/rfc/rfc2440.txt

David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Extracting a single signature from a file containing multiple signatures

[Derek Price]

Say `gpg --detach-sign' were used to create several detached signatures
and they were concatenated into the same file.  Is there a simple way to
separate those signatures again?  Is there documentation of the gpg
signature file format online?

(I am looking into allowing CVS revisions to be signed in the CVS
repository, potentially by multiple users, and I want to know if I can
store multiple signatures in a single binary string (I know that gpg
--verify can handle this) or if I need to keep them separate, to allow
for admins to later delete single, possibly expired, signatures from the
signature blob by keyid.  Once I get the signatures separated again, I
can exec gpg to extract the keyid, but if I cannot separate them, this
won't work to find and delete a single signature from the blob.)

Thanks,

Derek

-- 
Derek R. Price
CVS Solutions Architect
Ximbiot <http://ximbiot.com>
v: +1 717.579.6168
f: +1 717.234.3125
<mailto:[EMAIL PROTECTED]>



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple signatures on a single file

[Berend Tober]

Alphax wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

Berend Tober wrote:
 


Is it possible to have multiple persons sign a single file? If so, how
is this done?

The particular scenario is currently this: Employees submit expense
reports for business travel using a spread sheet. Current practise is
the the employee fills out spread sheet via computer (or optionally
prints blank spread sheet template and writes by hand with a pen),
physically signs using pen and ink, physically delivers signed hardcopy
to supervisor for supervisor pen-and-ink signature prior to payment
processing.

Desired practise is to eliminate both producing hard copy and
pen-and-ink signatures, and then re-work the process using gpg
electronic signatures. Thus, employee would enter data into expense
report spread sheet, save, gpg sign, mail to supervisor, supervisor
would (presumably) open and review spread sheet, close without changing,
gpg sign, and then return to employee or forward to accounting dept.

Sounds straightforward, but I didn't spot in the various
manuals/guides/how-to's for gnupg how a second individual could add
their signature after me.

   



Use detached signatures? Generate a key to sign the document with, and
have that key signed by the supervisor?
 

What I don't like about doing that explicitly is that every additional 
signature, at least in the default operational mode, appends an 
additional ".sig" file extension. Further more, the signatures are 
wrapped withing one another, so that to verification would require 
serial verification of each preceding outer layer signature. What I've 
been refining during the last couple days uses a command line script to 
append additional detached signatures into a single signature file. This 
approach models more directly the co-signature concept of legacy 
contracts, i.e., think of buying a house -- you and you spouse are 
co-signators rather than having one sign the contract and the other sign 
the others signature. What you suggested models the concept of a notary 
public witnessing a signature, but that we already have by signing 
public keys in the trust model.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Multiple signatures on a single file

[Berend Tober]

Is it possible to have multiple persons sign a single file? If so, how
is this done?

The particular scenario is currently this: Employees submit expense
reports for business travel using a spread sheet. Current practise is
the the employee fills out spread sheet via computer (or optionally
prints blank spread sheet template and writes by hand with a pen),
physically signs using pen and ink, physically delivers signed hardcopy
to supervisor for supervisor pen-and-ink signature prior to payment
processing.

Desired practise is to eliminate both producing hard copy and
pen-and-ink signatures, and then re-work the process using gpg
electronic signatures. Thus, employee would enter data into expense
report spread sheet, save, gpg sign, mail to supervisor, supervisor
would (presumably) open and review spread sheet, close without changing,
gpg sign, and then return to employee or forward to accounting dept.

Sounds straightforward, but I didn't spot in the various
manuals/guides/how-to's for gnupg how a second individual could add
their signature after me.

-- BMT




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple signatures on a single file

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

Berend Tober wrote:
> Is it possible to have multiple persons sign a single file? If so, how
> is this done?
> 
> The particular scenario is currently this: Employees submit expense
> reports for business travel using a spread sheet. Current practise is
> the the employee fills out spread sheet via computer (or optionally
> prints blank spread sheet template and writes by hand with a pen),
> physically signs using pen and ink, physically delivers signed hardcopy
> to supervisor for supervisor pen-and-ink signature prior to payment
> processing.
> 
> Desired practise is to eliminate both producing hard copy and
> pen-and-ink signatures, and then re-work the process using gpg
> electronic signatures. Thus, employee would enter data into expense
> report spread sheet, save, gpg sign, mail to supervisor, supervisor
> would (presumably) open and review spread sheet, close without changing,
> gpg sign, and then return to employee or forward to accounting dept.
> 
> Sounds straightforward, but I didn't spot in the various
> manuals/guides/how-to's for gnupg how a second individual could add
> their signature after me.
> 

Use detached signatures? Generate a key to sign the document with, and
have that key signed by the supervisor?

Just my 2c...

- --
Alphax  |   /"\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email & vCards
http://tinyurl.com/cc9up|   / \

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDGRke/RxM5Ph0xhMRA53ZAJ4jpjIAJ8nqCr/xgVBRbO1IUfK3PQCeMYTy
I6huYlEG2z2zt1cc1pPqTNE=
=6zNZ
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Multiple signatures on a single file

[Berend Tober]

Is it possible to have multiple persons sign a single file? If so, how 
is this done?


The particular scenario is currently this: Employees submit expense 
reports for business travel using a spread sheet. Current practise is 
the the employee fills out spread sheet via computer (or optionally 
prints blank spread sheet template and writes by hand with a pen), 
physically signs using pen and ink, physically delivers signed hardcopy 
to supervisor for supervisor pen-and-ink signature prior to payment 
processing.


Desired practise is to eliminate both producing hard copy and 
pen-and-ink signatures, and then re-work the process using gpg 
electronic signatures. Thus, employee would enter data into expense 
report spread sheet, save, gpg sign, mail to supervisor, supervisor 
would (presumably) open and review spread sheet, close without changing, 
gpg sign, and then return to employee or forward to accounting dept.


Sounds straightforward, but I didn't spot in the various 
manuals/guides/how-to's for gnupg how a second individual could add 
their signature after me.


-- BMT



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users