Boyd Stephen Smith Jr. wrote:
> On Thursday 04 December 2008, "Magnus Therning" <magnus@therning.org> wrote
> about 'Remote signing of large files':
>> I'd feel a bit more safe if the
>> signing could be done on a separate server. However, the built files
>> are large and I don't want to introduce a bottle neck by transfering
>> all files back and forth over the network.
>
> In any case, you'd only have to send big files in one direction, the
> detached signatures should be relatively small.
True, but with large files it still is too much time spent sending files
over the network.
>> So, my idea was to somehow separate the two steps that GnuPG performs
>> under the hood when signing, creating the message digest (hash) and
>> the signing of this message digest. I've found `--print-md` which
>> looks promising, but there doesn't seem to be any `--sign-md`.
>
> A detached signature is, mathematically, the message digest run thorough
> the encrypt() function. [Encrypting with the private key allows anyone
> with the public key to decrypt to the digest "plaintext" which they can
> compare to a locally calculated message digest, thus verifying the
> signature. They can also be assured that the signature is from the owner
> of the private key, or that the private key has been compromised.]
>
> So, you might try --encrypt'ing the output of --print-md.
AFAIU it wouldn't work:
1. Encrypting is actually using a symmetric algorithm for the bulk of
the data and asymmetric crypto is only used to encrypt the symmetric
key. In any case I don't think I can get `--encrypt` to use the private
key.
2. AFAIU signing always signs a message digest, no matter what type of
data I stick in. So signing the output of `--print-md` wouldn't do
since verification would require a manual step.
/M
--
Magnus Therning (OpenPGP: 0xAB4DFBA4)
magnus@therning.org Jabber: magnus@therning.org
http://therning.org/magnus
Haskell is an even 'redder' pill than Lisp or Scheme.
-- PaulPotts
Attachment:
signature.asc
Description: OpenPGP digital signature