[arch-dev-public] Remote PGP signing service (proof of concept)

Rémy Oudompheng remyoudompheng at gmail.com
Fri Dec 30 14:38:33 EST 2011


I just wrote a small proof of concept for remote PGP signing.
It is written in Go (using the weekly snapshot, not the 
r60 release), and is hosted at:

Usage is quite simple:
- compile everything
- run the server on the appropriate machine, for example
     ./server -addr localhost:10022
  (by default it binds on localhost)
- choose a remote file name
- run the client:
     ./client -server http://localhost:10022/hash  /home/remy/packages/blah

It does the following:
- looks for the secret keyring in $HOME/.gnupg/secring.gpg
- chooses the first secret key and asks for the passphrase if needed
- sends a little chunk of bytes to the server
- the server hashes the concatenation of the file and the little chunk
  and returns the hash
- the client finishes the signature process and writes blah.sig in the
  current directory.

You should then be able to copy the remote file and check the signature
is valid.

For paranoid remote usage, it is possible to setup a SSH tunnel to
connect to the server.

Any comments are welcome.


(I'm not really good at license terms and associated legalese,
please tell me if copyright notices get wrong)

More information about the arch-dev-public mailing list