在已经签名的文档中添加OpenPGP签名？ [英] Adding a OpenPGP signature to an already signed document?

问题描述

我们想要实施一个工作流程，该工作流程需要多个人对文档进行数字签名。如果我自己的钥匙串中有多个秘密密钥，我可以做一些简单的事情：

We'd like to implement a workflow that requires multiple people to digitallly sign a document. If I have multiple secret keys in my own keychain, I can do something as simple as:

gpg --sign -u userid1 -u userid2 filename

但是如果我已经签名了文档并且想要添加签名？一种解决方案是让每个人都为文档生成分离的签名，然后将它们全部打包到一个zip文件或类似的文件中，但是这样做的开销要高得多。有没有更好的方法？

But what do I do if I've got an already signed document and I want to add a signature? One solution would be to have everyone generate detached signatures for the document, and then package them all together in a zip file or something, but the overhead there is substantially higher. Is there a better way?

推荐答案

无需压缩它们：您可以将分离的签名简单地连接到一个文件中，

No need to ZIP them: you can simply concatenate detached signatures in a single file and all will be verified one after another.

% gpg -b -u $ID1 -o prova.c.sig1 prova.c
% gpg -b -u $ID2 -o prova.c.sig2 prova.c
% cat prova.c.sig1 prova.c.sig2 >prova.c.sig
% gpg prova.c.sig
gpg: Signature made Mar  1 Set 18:16:09 2009 CEST using RSA key ID $ID1
gpg: Good signature from "Lapo Luchini <lapo@lapo.it>"
gpg: Signature made Mar  1 Set 18:16:25 2009 CEST using RSA key ID $ID2
gpg: Good signature from "Lapo Luchini <lapo@lapo.it>"

我已经验证了这对于处理ASCII装甲文件也很有效，在这种情况下输出文件的大小是次优的，因为要为每个签名重复标题，最好先连接二进制签名，然后将它们全部用ASCII装甲。

I have verified that this works as well with ASCII-armored files tough in that case the output file size is sub-optimal since the header is repeated for each signature and it might be better to first concatenate the binary signatures and them ASCII-armor the whole thing.

我不太了解OpenPGP格式，但是我想您可能还可以使用一个软件，给定文件和一些分离的签名，并使用从所有签名中提取的签名包制作单个附加的签名。实现的时间（如果可能的话：可能有附加的和分离的签名有不同的数据包，并且一个不能在另一个中转换，但是我敢打赌，该数据包只是一种类型）。

I don't know OpenPGP format well enough to be sure, but I guess you can probably also have a software that, given a file and some detached signatures, makes a single attached signature with the signature packets extracted from all of them, though that would need more time to be implemented (if at all possible: maybe there are different packets for attached and detached signatures and one can't be converted in the other, but I would bet the packet is only one type).

这篇关于在已经签名的文档中添加OpenPGP签名？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！