On Mon, Jun 13, 2011 at 9:35 AM, Kerrick Staley <mail@kerrickstaley.com> wrote:
On Sun, Jun 12, 2011 at 4:19 AM, Rémy Oudompheng <remyoudompheng@gmail.com> wrote:
I personally vote for signing the hash, but not for having two sorts of signatures. Isn't there any way to split GnuPG's code into the hashing part and the encryption part?
Rémy.
From the gnupg-users@gnupg.org mailing list:
On Mon, Jun 13, 2011 at 3:47 AM, Werner Koch <wk@gnupg.org> wrote:
On Sun, 12 Jun 2011 23:15, mail@kerrickstaley.com said:
Is it possible to generate the digest for a file, and then create the signature from that digest later?
No, this is not possible. We once considered to implement such a feature but dropped that plan. The technical problem is that with OpenPGP you don't just sign a plain hash of the message but the hash of a modified message (in text mode) and further the hash includes a few magic bytes. Thus to implement such a feature we we would need to do a incomplete hash on the server and complete it on the client. It is doable but would look ugly.
My suggestion is to sign a the hash of the file; i.e. create a file with the SHA-x digests on the remote box, download it and sign it on the local box.
So, no (unless we create our own implementation, but that'd be more complicated than just accepting signed hashes).
Not to bust your enthusiasm, but I had researched all of this and more before writing my original email. It even included the final suggestion of signing the hash of the file because the two things can't be separated (and won't be done anytime soon by the upstream devs). I looked at the agent as the best possibility for this very reason. I also want to make clear as it seems you have taken Denis' word as the gospel here when he mentioned signing package databases. Not a word of what I wrote when starting this thread implied databases, so I apologize for that if it did. Those are no issue at all- they are small enough that we could easily work out a solution similar to what Denis proposed, so we need no remote singing capability at all with those. The only thing I was looking for in this thread was a solution for packages that are too unweildy to schlep back and forth for the sole reason of signing; things like game data, Sage Mathematics packages, OpenOffice, etc. if they were built on a remote machine. It's also nice to link to the full thread if you're going to cross-post one snippet: http://lists.gnupg.org/pipermail/gnupg-users/2011-June/042068.html -Dan