diff --git a/src/message.js b/src/message.js
index 8580fd36..b51ef574 100644
--- a/src/message.js
+++ b/src/message.js
@@ -104,12 +104,12 @@ Message.prototype.decrypt = function(privateKey, sessionKey, password) {
       enums.packet.symEncryptedIntegrityProtected,
       enums.packet.symEncryptedAEADProtected
     );
-
     if (symEncryptedPacketlist.length === 0) {
       return;
     }
 
     const symEncryptedPacket = symEncryptedPacketlist[0];
+
     return symEncryptedPacket.decrypt(keyObj.algorithm, keyObj.data).then(() => {
       const resultMsg = new Message(symEncryptedPacket.packets);
       symEncryptedPacket.packets = new packet.List(); // remove packets after decryption
@@ -292,10 +292,11 @@ export function encryptSessionKey(sessionKey, symAlgo, publicKeys, passwords) {
 
 /**
  * Sign the message (the literal data packet of the message)
- * @param  {Array<module:key~Key>} privateKey private keys with decrypted secret key data for signing
- * @return {module:message~Message}      new message with signed content
+ * @param  {Array<module:key~Key>}        privateKey private keys with decrypted secret key data for signing
+ * @param  {Signature} signature          (optional) any existing detached signature to add to the message
+ * @return {module:message~Message}       new message with signed content
  */
-Message.prototype.sign = function(privateKeys) {
+Message.prototype.sign = function(privateKeys=[], signature=null) {
 
   var packetlist = new packet.List();
 
@@ -307,12 +308,27 @@ Message.prototype.sign = function(privateKeys) {
   var literalFormat = enums.write(enums.literal, literalDataPacket.format);
   var signatureType = literalFormat === enums.literal.binary ?
                       enums.signature.binary : enums.signature.text;
-  var i, signingKeyPacket;
+  var i, signingKeyPacket, existingSigPacketlist, onePassSig;
+
+  if (signature) {
+    existingSigPacketlist = signature.packets.filterByTag(enums.packet.signature);
+    if (existingSigPacketlist.length) {
+      for (i = existingSigPacketlist.length - 1; i >= 0; i--) {
+        var sigPacket = existingSigPacketlist[i];
+        onePassSig = new packet.OnePassSignature();
+        onePassSig.type = signatureType;
+        onePassSig.hashAlgorithm = config.prefer_hash_algorithm;
+        onePassSig.publicKeyAlgorithm = sigPacket.publicKeyAlgorithm;
+        onePassSig.signingKeyId = sigPacket.issuerKeyId;
+        packetlist.push(onePassSig);
+      }
+    }
+  }
   for (i = 0; i < privateKeys.length; i++) {
     if (privateKeys[i].isPublic()) {
       throw new Error('Need private key for signing');
     }
-    var onePassSig = new packet.OnePassSignature();
+    onePassSig = new packet.OnePassSignature();
     onePassSig.type = signatureType;
     //TODO get preferred hashg algo from key signature
     onePassSig.hashAlgorithm = config.prefer_hash_algorithm;
@@ -341,16 +357,19 @@ Message.prototype.sign = function(privateKeys) {
     signaturePacket.sign(signingKeyPacket, literalDataPacket);
     packetlist.push(signaturePacket);
   }
-
+  if (signature) {
+    packetlist.concat(existingSigPacketlist);
+  }
   return new Message(packetlist);
 };
 
 /**
  * Create a detached signature for the message (the literal data packet of the message)
- * @param  {Array<module:key~Key>} privateKey private keys with decrypted secret key data for signing
+ * @param  {Array<module:key~Key>}           privateKey private keys with decrypted secret key data for signing
+ * @param  {Signature} signature             (optional) any existing detached signature
  * @return {module:signature~Signature}      new detached signature of message content
  */
-Message.prototype.signDetached = function(privateKeys) {
+Message.prototype.signDetached = function(privateKeys=[], signature=null) {
 
   var packetlist = new packet.List();
 
@@ -375,6 +394,10 @@ Message.prototype.signDetached = function(privateKeys) {
     signaturePacket.sign(signingKeyPacket, literalDataPacket);
     packetlist.push(signaturePacket);
   }
+  if (signature) {
+    var existingSigPacketlist = signature.packets.filterByTag(enums.packet.signature);
+    packetlist.concat(existingSigPacketlist);
+  }
 
   return new sigModule.Signature(packetlist);
 };
diff --git a/src/openpgp.js b/src/openpgp.js
index e3ad9404..d98773ed 100644
--- a/src/openpgp.js
+++ b/src/openpgp.js
@@ -180,12 +180,13 @@ export function decryptKey({ privateKey, passphrase }) {
  * @param  {String} filename                  (optional) a filename for the literal data packet
  * @param  {Boolean} armor                    (optional) if the return values should be ascii armored or the message/signature objects
  * @param  {Boolean} detached                 (optional) if the signature should be detached (if true, signature will be added to returned object)
+ * @param  {Signature} signatureInput         (optional) a detached signature to add to the encrypted message
  * @return {Promise<Object>}                  encrypted (and optionally signed message) in the form:
  *                                              {data: ASCII armored message if 'armor' is true,
  *                                                message: full Message object if 'armor' is false, signature: detached signature if 'detached' is true}
  * @static
  */
-export function encrypt({ data, publicKeys, privateKeys, passwords, filename, armor=true, detached=false }) {
+export function encrypt({ data, publicKeys, privateKeys, passwords, filename, armor=true, detached=false, signatureInput=null }) {
   checkData(data); publicKeys = toArray(publicKeys); privateKeys = toArray(privateKeys); passwords = toArray(passwords);
 
   if (!nativeAEAD() && asyncProxy) { // use web worker if web crypto apis are not supported
@@ -195,16 +196,19 @@ export function encrypt({ data, publicKeys, privateKeys, passwords, filename, ar
   return Promise.resolve().then(() => {
 
     let message = createMessage(data, filename);
-    if (privateKeys) { // sign the message only if private keys are specified
+    if (!privateKeys) {
+      privateKeys = [];
+    }
+    if (privateKeys.length || signatureInput) { // sign the message only if private keys or signatureInput is specified
       if (detached) {
-        var signature = message.signDetached(privateKeys);
+        var signature = message.signDetached(privateKeys, signatureInput);
         if (armor) {
           result.signature = signature.armor();
         } else {
           result.signature = signature;
         }
       } else {
-        message = message.sign(privateKeys);
+        message = message.sign(privateKeys, signatureInput);
       }
     }
     return message.encrypt(publicKeys, passwords);
@@ -243,6 +247,7 @@ export function decrypt({ message, privateKey, publicKeys, sessionKey, password,
   return message.decrypt(privateKey, sessionKey, password).then(message => {
 
     const result = parseMessage(message, format);
+
     if (result.data) { // verify
       if (!publicKeys) {
         publicKeys = [];
@@ -281,7 +286,6 @@ export function decrypt({ message, privateKey, publicKeys, sessionKey, password,
 export function sign({ data, privateKeys, armor=true, detached=false}) {
   checkString(data);
   privateKeys = toArray(privateKeys);
-
   if (asyncProxy) { // use web worker if available
     return asyncProxy.delegate('sign', { data, privateKeys, armor, detached });
   }