[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Remote signing of large files



On Thursday 04 December 2008, "Magnus Therning" <magnus@therning.org> wrote 
about 'Remote signing of large files':
>I'd feel a bit more safe if the
>signing could be done on a separate server.  However, the built files
>are large and I don't want to introduce a bottle neck by transfering
>all files back and forth over the network.

In any case, you'd only have to send big files in one direction, the 
detached signatures should be relatively small.

>So, my idea was to somehow separate the two steps that GnuPG performs
>under the hood when signing, creating the message digest (hash) and
>the signing of this message digest.  I've found `--print-md` which
>looks promising, but there doesn't seem to be any `--sign-md`.

A detached signature is, mathematically, the message digest run thorough 
the encrypt() function.  [Encrypting with the private key allows anyone 
with the public key to decrypt to the digest "plaintext" which they can 
compare to a locally calculated message digest, thus verifying the 
signature.  They can also be assured that the signature is from the owner 
of the private key, or that the private key has been compromised.]

So, you might try --encrypt'ing the output of --print-md.
-- 
Boyd Stephen Smith Jr.                     ,= ,-_-. =. 
bss03@volumehost.net                      ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy           `-'(. .)`-' 
http://iguanasuicide.org/                      \_/     

Attachment: signature.asc
Description: This is a digitally signed message part.


Reply to: