I just wrote a small proof of concept for remote PGP signing. It is written in Go (using the weekly snapshot, not the r60 release), and is hosted at: https://github.com/remyoudompheng/remotepgp
Usage is quite simple: - compile everything - run the server on the appropriate machine, for example ./server -addr localhost:10022 (by default it binds on localhost) - choose a remote file name - run the client: ./client -server http://localhost:10022/hash /home/remy/packages/blah
It does the following: - looks for the secret keyring in $HOME/.gnupg/secring.gpg - chooses the first secret key and asks for the passphrase if needed - sends a little chunk of bytes to the server - the server hashes the concatenation of the file and the little chunk and returns the hash - the client finishes the signature process and writes blah.sig in the current directory.
You should then be able to copy the remote file and check the signature is valid.
For paranoid remote usage, it is possible to setup a SSH tunnel to connect to the server.
Any comments are welcome.