[pacman-dev] GPG remote signing

Kerrick Staley mail at kerrickstaley.com
Mon Jun 13 10:35:43 EDT 2011

On Sun, Jun 12, 2011 at 4:19 AM, Rémy Oudompheng
<remyoudompheng at gmail.com> wrote:
> I personally vote for signing the hash, but not for having two sorts
> of signatures. Isn't there any way to split GnuPG's code into the
> hashing part and the encryption part?
> Rémy.

>From the gnupg-users at gnupg.org mailing list:

On Mon, Jun 13, 2011 at 3:47 AM, Werner Koch <wk at gnupg.org> wrote:
> On Sun, 12 Jun 2011 23:15, mail at kerrickstaley.com said:
> > Is it possible to generate the digest for a file, and then create the
> > signature from that digest later?
> No, this is not possible.  We once considered to implement such a
> feature but dropped that plan.  The technical problem is that with
> OpenPGP you don't just sign a plain hash of the message but the hash of
> a modified message (in text mode) and further the hash includes a few
> magic bytes.  Thus to implement such a feature we we would need to do a
> incomplete hash on the server and complete it on the client.  It is
> doable but would look ugly.
> My suggestion is to sign a the hash of the file; i.e. create a file with
> the SHA-x digests on the remote box, download it and sign it on the
> local box.

So, no (unless we create our own implementation, but that'd be more
complicated than just accepting signed hashes).

-Kerrick Staley

More information about the pacman-dev mailing list