On Mon, Jun 13, 2011 at 10:08 AM, Dan McGee <dpmcgee@gmail.com> wrote:
Not to bust your enthusiasm, but I had researched all of this and more before writing my original email. It even included the final suggestion of signing the hash of the file because the two things can't be separated (and won't be done anytime soon by the upstream devs). I looked at the agent as the best possibility for this very reason.
I also want to make clear as it seems you have taken Denis' word as the gospel here when he mentioned signing package databases. Not a word of what I wrote when starting this thread implied databases, so I apologize for that if it did. Those are no issue at all- they are small enough that we could easily work out a solution similar to what Denis proposed, so we need no remote singing capability at all with those. The only thing I was looking for in this thread was a solution for packages that are too unweildy to schlep back and forth for the sole reason of signing; things like game data, Sage Mathematics packages, OpenOffice, etc. if they were built on a remote machine.
It's also nice to link to the full thread if you're going to cross-post one snippet: http://lists.gnupg.org/pipermail/gnupg-users/2011-June/042068.html
OK, sorry. I just made a guess as to what you were talking about, since you never transcribed the original conversation or made clear what you were referring to. Anyway, I second Denis's suggestion of always signing the hash rather than the original file. Like I mentioned, any scheme where the signing is done on the server means that keys will get compromised if the main server gets hacked. -Kerrick Staley