[arch-dev-public] Remote PGP signing service (proof of concept)
Thomas Bächler
thomas at archlinux.org
Sat Dec 31 08:08:49 EST 2011
Am 30.12.2011 20:38, schrieb Rémy Oudompheng:
> I just wrote a small proof of concept for remote PGP signing.
> It is written in Go (using the weekly snapshot, not the
> r60 release), and is hosted at:
> https://github.com/remyoudompheng/remotepgp
>
> Usage is quite simple:
> - compile everything
> - run the server on the appropriate machine, for example
> ./server -addr localhost:10022
> (by default it binds on localhost)
> - choose a remote file name
> - run the client:
> ./client -server http://localhost:10022/hash /home/remy/packages/blah
>
> It does the following:
> - looks for the secret keyring in $HOME/.gnupg/secring.gpg
> - chooses the first secret key and asks for the passphrase if needed
> - sends a little chunk of bytes to the server
> - the server hashes the concatenation of the file and the little chunk
> and returns the hash
> - the client finishes the signature process and writes blah.sig in the
> current directory.
I didn't try this yet, but here is an important comment: When using IP
networking for the connection, everyone on the server could access the
service. Instead, you could run a service over ssh (like sftp-server),
and open a UNIX socket with that service. Then, you can control who has
access (only the user that runs the service).
Apart from that, I like it :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20111231/5f9e3e3a/attachment.asc>
More information about the arch-dev-public
mailing list