Hello

Please can someone share the list of utilities available to embed a digital signature in a .tar.gz file.

I have been using gpg so far with detach-sign option that generates a detached signature but now the intent is to create an archive and embed a signature within the same. Unlike GPG i don't want to either maintain a seperate file (like .asc) or save it with different ext (like .tar.gz.sig)

Kindly advise.

The PKI-package comes with utilities that should do what you want.

But in view of the weaknesses of the X 509 standard, in your place, I just packed once again the original archive together with the GnuPG signature. If your users find this awkward, tell them that they are.

tar creates an archive, and can embed any file within that archive.

Create your digital signature file and then add it to your tar archive, using tar.

The problem being, when you include the signature in the tar after having signed the tar... the resulting tar file is not the signed tar-file...
Put another way: Someone who returns from work late in the evening or someone who has not yet got his second coffee might try to test a signature on the *original* tar-file after having extracted only the signature (as a copie). This attempt has to fail.

Signing files selectively, -only a few of them that you consider important-, could be a solution. I prefer the approach that I mentioned above : Sign your tar file and put the signature together with the tar file *inside* another archive. This is so simple to comprehend that even half asleep, I might get the right idea when confronted to such a file.

Others will say, it lacks sophistication.