GPG message with multiple signatures

[vsajip]

Original report by Anonymous.

---

From what I understant gpg.verify will return a result with information about the last valid signature it encounters while parsing GPG's output.

Any suggestions on how to handle this if I were to write a patch?

[vsajip]

Sorry, I don't quite understand. A patch to do what, exactly?

[vsajip]

Original comment by Anonymous.

---

A patch that makes gpg.verify give me an array of keyids/fingerprints.

Some examples of multiple signing: http://lists.gnupg.org/pipermail/gnupg-users/2013-July/047118.html

I haven't really tested anything yet, but reading the code makes me think I can't do this with the current version. Please correct me if I'm wrong.

[vsajip]

Is this an officially supported feature of GnuPG? How does one use GnuPG to add multiple signatures?

[vsajip]

Original comment by Ben McGinnes (Bitbucket: benmcginnes, ).

---

Yes it is an officially supported feature of GPG and it is used to handle transitioning from one key to another (e.g. the shift from DSA keys back to RSA a few years ago).

BTW, since GPG 2.1 is nearly at the end of the beta cycle, this will become more of an issue soon when people start adopting EC keys in the not too distant future.

[vsajip]

Original comment by Anonymous.

---

Vinay, you could do it like this if you have two keys on your secring : gpg --sign -u me@home -u me@work

[vsajip]

Then I suppose to be consistent, this functionality would also need to be supported (currently, only one signer is assumed both for signing and verification). Tests and docs would need updating. For backward compatibility, the existing API shouldn't change, but the object that collects results could grow a new list attribute to which all collected signatures are added. The keyid and passphrase parameters in the signing APIs would need to accept sequences of key ids and corresponding passphrases, with error checking for equal lengths etc.

[vsajip]

Also, if this functionality is available for GPG2 only, we would need to check for that.

[vsajip]

Original comment by Ben McGinnes (Bitbucket: benmcginnes, ).

---

No, it's available in 1.4.x and has been available for a long time. I still use the 1.4 branch because it's easier to customise before compiling (I tweak the max key sizes and secure memory). Anyway, I transitioned from my DSA/ElGamal key a bit over 2 years ago to my current RSA/ElGamal key (yeah, that's possible too) and created a transition document with just such a double signature. It's here:

http://www.adversary.org/keyswitch.txt.asc

Feel free to test with it, but verification should show good signatures from 0x371AC5BFA04AE313 (the old key) and 0x321E4E2373590E5D (the current one), though as it is a message the latter key will have used the 0x7FF2D37135C7553C signing subkey.

Yeah, here it is:

bash4-4.3$ gpg -v --verify keyswitch.txt.asc 
gpg: armor header: Hash: SHA512
gpg: original file name=''
gpg: Signature made Sun 29 Jul 12:08:05 2012 AEST
gpg:                using DSA key 0x371AC5BFA04AE313
gpg: Good signature from "Ben McGinnes <ben@adversary.org>"
gpg:                 aka "Ben McGinnes <ben-work@adversary.org>"
gpg:                 aka "Ben McGinnes (A secondary address - primary address is still ben@adversary.org) <benmcginnes@gmail.com>"
gpg: textmode signature, digest algorithm SHA512
gpg: Signature made Sun 29 Jul 12:08:05 2012 AEST
gpg:                using RSA key 0x7FF2D37135C7553C
gpg: using subkey 0x7FF2D37135C7553C instead of primary key 0x321E4E2373590E5D
gpg: Good signature from "Ben McGinnes <ben@adversary.org>"
gpg:                 aka "Ben McGinnes (backup email address) <benmcginnes@gmail.com>"
gpg:                 aka "Ben McGinnes <ben.mcginnes@pirateparty.org.au>"
gpg:                 aka "Ben McGinnes <ben.mcginnes@pirate.org.au>"
gpg: textmode signature, digest algorithm SHA512
bash4-4.3$ 

Obviously the time is local to me, but you should see the same thing.

[vsajip]

@benmcginnes Thanks, this is helpful. I'm a little busy at the moment but I hope to look at this soon. If @abfg wants to have a go at a patch along the lines I suggested above, I'll be happy to have a look at it.

[vsajip]

Original changes by Vinay Sajip (Bitbucket: vinay.sajip, GitHub: vsajip).

---

removed "0.3.7" milestone

[vsajip]

Should be fixed in b72bbe0.

[vsajip]

Original changes by Vinay Sajip (Bitbucket: vinay.sajip, GitHub: vsajip).

---

changed content from "From what I understant gpg.verify will return a result with information about the last valid signature it encounters while parsing GPG's output.

Any suggestions on how to handle this if I were to write a patch?
" to "From what I understant gpg.verify will return a result with information about the last valid signature it encounters while parsing GPG's output.

Any suggestions on how to handle this if I were to write a patch?"; changed state from "new" to "resolved"