The signature type 0x18 is said to be calculated on the subkey itself and
packets. How can you then have tamper-proof siganture subpackets on that
For key-flags that sure would be needed.
It's not, it is calcualted on the key and then the subkey. The wording
may not be completely clear, but in 5.2.4 the RFC reads:
When a signature is made over a key, the hash data starts with the
octet 0x99, followed by a two-octet length of the key, and then body
of the key packet. (Note that this is an old-style packet header for
a key packet with two-octet length.) A subkey signature (type 0x18)
then hashes the subkey, using the same format as the main key.
The use of the phrase "then hashes the subkey" is meant to imply that
first it hashes the main key, then it hashes the subkey.