Please don't CC me on replies, unless I request one. It is against debian-* list policy. On Friday 2008 December 05 15:49, you wrote: > Boyd Stephen Smith Jr. wrote: > > On Thursday 04 December 2008, "Magnus Therning" <magnus@therning.org> > > wrote > > about 'Remote signing of large files': > >> So, my idea was to somehow separate the two steps that GnuPG performs > >> under the hood when signing, creating the message digest (hash) and > >> the signing of this message digest. I've found `--print-md` which > >> looks promising, but there doesn't seem to be any `--sign-md`. > > > > A detached signature is, mathematically, the message digest run thorough > > the encrypt() function. [Encrypting with the private key allows anyone > > with the public key to decrypt to the digest "plaintext" which they can > > compare to a locally calculated message digest, thus verifying the > > signature. They can also be assured that the signature is from the owner > > of the private key, or that the private key has been compromised.] > > > > So, you might try --encrypt'ing the output of --print-md. > > AFAIU it wouldn't work: > > 1. Encrypting is actually using a symmetric algorithm for the bulk of > the data and asymmetric crypto is only used to encrypt the symmetric > key. In any case I don't think I can get `--encrypt` to use the private > key. That's only true in active protocols with a handshake, e.g. SSL or TLS. The only reason active protocols do this is because symmetric ciphers are generally faster. For "offline" encryption, using an asymmetric keys directly works fine. If you encrypt something with gpg it uses the public key of the chosen recipient or their public subkey designated for encryption. > 2. AFAIU signing always signs a message digest, no matter what type of > data I stick in. So signing the output of `--print-md` wouldn't do > since verification would require a manual step. Um, sort of. sign(data, privkey) == encrypt(digest(data), privkey), by definition. So, you should be able to take the output of --print-md, then --encrypt it, specifying your private key. It's a bit more complex then that, because of data encoding issues, but it should be possible with the command-line tools. If not, it's definitely possible with some custom C code -- I forget what the C binding for gpg are called, but you'll probably need that and libgcrypt. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss03@volumehost.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.org/ \_/
Attachment:
pgpkYAh4IjJWS.pgp
Description: PGP signature