[pacman-dev] GPG remote signing

Dan McGee dpmcgee at gmail.com
Mon Jun 13 11:08:25 EDT 2011

On Mon, Jun 13, 2011 at 9:35 AM, Kerrick Staley <mail at kerrickstaley.com> wrote:
> On Sun, Jun 12, 2011 at 4:19 AM, Rémy Oudompheng
> <remyoudompheng at gmail.com> wrote:
>> I personally vote for signing the hash, but not for having two sorts
>> of signatures. Isn't there any way to split GnuPG's code into the
>> hashing part and the encryption part?
>> Rémy.
> From the gnupg-users at gnupg.org mailing list:
> On Mon, Jun 13, 2011 at 3:47 AM, Werner Koch <wk at gnupg.org> wrote:
>> On Sun, 12 Jun 2011 23:15, mail at kerrickstaley.com said:
>> > Is it possible to generate the digest for a file, and then create the
>> > signature from that digest later?
>> No, this is not possible.  We once considered to implement such a
>> feature but dropped that plan.  The technical problem is that with
>> OpenPGP you don't just sign a plain hash of the message but the hash of
>> a modified message (in text mode) and further the hash includes a few
>> magic bytes.  Thus to implement such a feature we we would need to do a
>> incomplete hash on the server and complete it on the client.  It is
>> doable but would look ugly.
>> My suggestion is to sign a the hash of the file; i.e. create a file with
>> the SHA-x digests on the remote box, download it and sign it on the
>> local box.
> So, no (unless we create our own implementation, but that'd be more
> complicated than just accepting signed hashes).

Not to bust your enthusiasm, but I had researched all of this and more
before writing my original email. It even included the final
suggestion of signing the hash of the file because the two things
can't be separated (and won't be done anytime soon by the upstream
devs). I looked at the agent as the best possibility for this very

I also want to make clear as it seems you have taken Denis' word as
the gospel here when he mentioned signing package databases. Not a
word of what I wrote when starting this thread implied databases, so I
apologize for that if it did. Those are no issue at all- they are
small enough that we could easily work out a solution similar to what
Denis proposed, so we need no remote singing capability at all with
those. The only thing I was looking for in this thread was a solution
for packages that are too unweildy to schlep back and forth for the
sole reason of signing; things like game data, Sage Mathematics
packages, OpenOffice, etc. if they were built on a remote machine.

It's also nice to link to the full thread if you're going to
cross-post one snippet:


More information about the pacman-dev mailing list