[aur-general] Remote PGP signing service (proof of concept)
Rémy Oudompheng
remyoudompheng at gmail.com
Fri Dec 30 14:38:33 EST 2011
Hello,
I just wrote a small proof of concept for remote PGP signing.
It is written in Go (using the weekly snapshot, not the
r60 release), and is hosted at:
https://github.com/remyoudompheng/remotepgp
Usage is quite simple:
- compile everything
- run the server on the appropriate machine, for example
./server -addr localhost:10022
(by default it binds on localhost)
- choose a remote file name
- run the client:
./client -server http://localhost:10022/hash /home/remy/packages/blah
It does the following:
- looks for the secret keyring in $HOME/.gnupg/secring.gpg
- chooses the first secret key and asks for the passphrase if needed
- sends a little chunk of bytes to the server
- the server hashes the concatenation of the file and the little chunk
and returns the hash
- the client finishes the signature process and writes blah.sig in the
current directory.
You should then be able to copy the remote file and check the signature
is valid.
For paranoid remote usage, it is possible to setup a SSH tunnel to
connect to the server.
Any comments are welcome.
--
Rémy.
(I'm not really good at license terms and associated legalese,
please tell me if copyright notices get wrong)
More information about the aur-general
mailing list