On Sun, Jun 12, 2011 at 4:19 AM, Rémy Oudompheng <remyoudompheng@gmail.com> wrote:
I personally vote for signing the hash, but not for having two sorts of signatures. Isn't there any way to split GnuPG's code into the hashing part and the encryption part?
Rémy.
From the gnupg-users@gnupg.org mailing list:
On Mon, Jun 13, 2011 at 3:47 AM, Werner Koch <wk@gnupg.org> wrote:
On Sun, 12 Jun 2011 23:15, mail@kerrickstaley.com said:
Is it possible to generate the digest for a file, and then create the signature from that digest later?
No, this is not possible. We once considered to implement such a feature but dropped that plan. The technical problem is that with OpenPGP you don't just sign a plain hash of the message but the hash of a modified message (in text mode) and further the hash includes a few magic bytes. Thus to implement such a feature we we would need to do a incomplete hash on the server and complete it on the client. It is doable but would look ugly.
My suggestion is to sign a the hash of the file; i.e. create a file with the SHA-x digests on the remote box, download it and sign it on the local box.
So, no (unless we create our own implementation, but that'd be more complicated than just accepting signed hashes). -Kerrick Staley