On Sat, Dec 31, 2011 at 7:08 AM, Thomas Bächler <thomas@archlinux.org> wrote:
Am 30.12.2011 20:38, schrieb Rémy Oudompheng:
I just wrote a small proof of concept for remote PGP signing. It is written in Go (using the weekly snapshot, not the r60 release), and is hosted at: https://github.com/remyoudompheng/remotepgp
Usage is quite simple: - compile everything - run the server on the appropriate machine, for example ./server -addr localhost:10022 (by default it binds on localhost) - choose a remote file name - run the client: ./client -server http://localhost:10022/hash /home/remy/packages/blah
It does the following: - looks for the secret keyring in $HOME/.gnupg/secring.gpg - chooses the first secret key and asks for the passphrase if needed - sends a little chunk of bytes to the server - the server hashes the concatenation of the file and the little chunk and returns the hash - the client finishes the signature process and writes blah.sig in the current directory.
I didn't try this yet, but here is an important comment: When using IP networking for the connection, everyone on the server could access the service. Instead, you could run a service over ssh (like sftp-server), and open a UNIX socket with that service. Then, you can control who has access (only the user that runs the service).
Apart from that, I like it :)
This is really cool. I'll definitely be taking a closer look at this when I have time. It does seem a bit ridiculous there are no simple signature-only programs out there. This is the closest thing I found: http://www.cypherspace.org/openpgp/pgpdsa/ I agree with Thomas on perhaps thinking about a socket-based protocol for security purposes; the same binary could even be used client and server side; something like $ remotesign dmcgee@hostname:/path/to/my/file would interpret the URL ala scp, and call something like $ remotesign --genhash /path/to/my/file on the remote host, taking on stdin the suffix bytes or whatever magic it is that is needed to be incorporated to the hash, and writing the result back on stdout. Of course this is me spitting ideas; you actually put up the code so you're about 100x more awesome right now. -Dan