On Tue, Dec 02, 2003 at 10:16:32PM +0100, Matthias Urlichs wrote: > Hi, Henrique de Moraes Holschuh wrote: > > > On Tue, 02 Dec 2003, Wouter Verhelst wrote: > >> So unless you have a suggestion that would solve this particular issue, > >> I'm afraid this idea won't work in practice. > > > > We could verify if the gpg agent (gpa? I forget the name...) cannot do this > > over a secure channel. It should be able to, and if not, it can probably be > > taught to. > > It's not that easy (basically you need to tunnel the actual > encryprion/signing function, not just the passphrase-getting). > See ssh-agent as an example. > > The good thing is that people are already thinking about this. > > http://lists.gnupg.org/pipermail/gnupg-users/2003-April/017920.html Well, implemented as Werner suggests in that message would require me to send the actual .deb over the line. I won't do that, since I don't have the bandwidth (or, in many cases, the time to wait for the download to finish; arrakis runs behind an ADSL line, while quickstep behind my cable modem. upstream speeds aren't that fast (and I regularly handle their mails at work)). As I understand it, an OpenPGP signature is an encrypted hash or something similar of the actual data. It would be feasible if the signature algorithm would allow for hashing the data on the remote machine, and signing that hash locally. Then again, we could do such things right now. Wouldn't it be more interesting to gpg-sign md5sums of control.tar.gz and data.tar.gz? Especially in the case of larger .debs, that would probably reduce the actual signature size as well... -- Wouter Verhelst Debian GNU/Linux -- http://www.debian.org Nederlandstalige Linux-documentatie -- http://nl.linux.org "Stop breathing down my neck." "My breathing is merely a simulation." "So is my neck, stop it anyway!" -- Voyager's EMH versus the Prometheus' EMH, stardate 51462.
Description: Digital signature