[arch-dev-public] Remote PGP signing service (proof of concept)

Thomas Bächler thomas at archlinux.org
Sat Dec 31 08:08:49 EST 2011

Am 30.12.2011 20:38, schrieb Rémy Oudompheng:
> I just wrote a small proof of concept for remote PGP signing.
> It is written in Go (using the weekly snapshot, not the 
> r60 release), and is hosted at:
>    https://github.com/remyoudompheng/remotepgp
> Usage is quite simple:
> - compile everything
> - run the server on the appropriate machine, for example
>      ./server -addr localhost:10022
>   (by default it binds on localhost)
> - choose a remote file name
> - run the client:
>      ./client -server http://localhost:10022/hash  /home/remy/packages/blah
> It does the following:
> - looks for the secret keyring in $HOME/.gnupg/secring.gpg
> - chooses the first secret key and asks for the passphrase if needed
> - sends a little chunk of bytes to the server
> - the server hashes the concatenation of the file and the little chunk
>   and returns the hash
> - the client finishes the signature process and writes blah.sig in the
>   current directory.

I didn't try this yet, but here is an important comment: When using IP
networking for the connection, everyone on the server could access the
service. Instead, you could run a service over ssh (like sftp-server),
and open a UNIX socket with that service. Then, you can control who has
access (only the user that runs the service).

Apart from that, I like it :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20111231/5f9e3e3a/attachment.asc>

More information about the arch-dev-public mailing list