How to merge several detached signatures from different people into one

digital-signaturegnupgSecurity

A group of people wants to publish a file and they all want to digitally sign the file as different recipients of the file will have different chains of trust. For simplicity, it's desired that there is only one detached signature file with all the signatures, so that the recipients don't need to check them one by one:

foo.tar.gz
foo.tar.gz.sig

However, for security reasons, every person needs to perform the signing on their computer, it's not possible to create the combined signature by having multiple private keys on one computer and performing the operation with one command.

Is it possible with GPG to somehow merge detached signatures of a file from multiple participants?

Best Answer

Signatures created using gpg --detach-sign contain one OpenPGP "signature" packet each. You can combine them to one file using ordinary cat, and most PGP programs should automatically recognize multiple signature packets in a single file.