In the case of a quasi-static relationship, e.g., a baseline document, source
code, etc., the connection between the "message" (the linkage editor include
cards, by analogy) and the individual objects could be established and
confirmed by referencing the message digest of the individual signed objects,
so that ultimately you could build a digitally signed and verifiable bill of
materials for an entire software build, for example.
PKCS #7 offers a good precedent for using a message digest to refer to
an external part. This appears when signed attributes are used. If
you have some text, but want to add attributes like signing time, you
create an attributes object which has the signing time as well as a
*digest* of the associated text. Then the signature is computed
simply on the attributes object, and the text is implicitly signed via
the digest. In this analogy, the attributes object would be like the
main form and the text would be referenced and authenticated by
including its message digest.
- Jeff