A group of people wants to publish a file and they all want to digitally sign the file as different recipients of the file will have different chains of trust. For simplicity, it's desired that there is only one detached signature file with all the signatures, so that the recipients don't need to check them one by one:
foo.tar.gz
foo.tar.gz.sig
However, for security reasons, every person needs to perform the signing on their computer, it's not possible to create the combined signature by having multiple private keys on one computer and performing the operation with one command.
Is it possible with GPG to somehow merge detached signatures of a file from multiple participants?
Best Answer
Signatures created using
gpg --detach-signcontain one OpenPGP "signature" packet each. You can combine them to one file using ordinarycat, and most PGP programs should automatically recognize multiple signature packets in a single file.