We'd like to implement a workflow that requires multiple people to digitallly sign a document. If I have multiple secret keys in my own keychain, I can do something as simple as:
gpg --sign -u userid1 -u userid2 filename
But what do I do if I've got an already signed document and I want to add a signature? One solution would be to have everyone generate detached signatures for the document, and then package them all together in a zip file or something, but the overhead there is substantially higher. Is there a better way?
When sending digital signatures, PGP uses an efficient algorithm that generates a hash (a mathematical summary) from the user's name and other signature information. This hash code is then encrypted with the sender's private key. The receiver uses the sender's public key to decrypt the hash code.
In order to verify PGP signatures you need access to to the sender's public key and a PGP utility program. Signing tells the PGP utility how much you trust the key and you should only sign keys that you have verified independently. Computing hashes and comparing against a checksum is a quick and easy alternative.
Signing a message helps ensure the following: Data Integrity – That the email was not altered from its original form. Message Authentication (Proof of Origin) – That the email actually came from the purported sender (if the sender is the signer of the message).
GPG signatures are widely used by Linux package managers such as apt to verify the integrity of downloaded files. Typically the public key is shipped with the OS, and the private key is owned by the repository maintainers. This way we can safely install software from any mirror or network.
No need to ZIP them: you can simply concatenate detached signatures in a single file and all will be verified one after another.
% gpg -b -u $ID1 -o prova.c.sig1 prova.c
% gpg -b -u $ID2 -o prova.c.sig2 prova.c
% cat prova.c.sig1 prova.c.sig2 >prova.c.sig
% gpg prova.c.sig
gpg: Signature made Mar 1 Set 18:16:09 2009 CEST using RSA key ID $ID1
gpg: Good signature from "Lapo Luchini <[email protected]>"
gpg: Signature made Mar 1 Set 18:16:25 2009 CEST using RSA key ID $ID2
gpg: Good signature from "Lapo Luchini <[email protected]>"
I have verified that this works as well with ASCII-armored files tough in that case the output file size is sub-optimal since the header is repeated for each signature and it might be better to first concatenate the binary signatures and them ASCII-armor the whole thing.
I don't know OpenPGP format well enough to be sure, but I guess you can probably also have a software that, given a file and some detached signatures, makes a single attached signature with the signature packets extracted from all of them, though that would need more time to be implemented (if at all possible: maybe there are different packets for attached and detached signatures and one can't be converted in the other, but I would bet the packet is only one type).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With