Re: Remote signing of large files

["Douglas A. Tutty" <dtutty@vianet.ca>]

On Thu, Dec 04, 2008 at 12:26:31PM +0000, Magnus Therning wrote:
> At work I want to add signing to our automatic build system.  In
> theory it's a simple application of `gpg` at the end of building to
> get a detached signature would do, but I'm weary of sticking the
> secret key on the build servers.  I'd feel a bit more safe if the
> signing could be done on a separate server.  However, the built files
> are large and I don't want to introduce a bottle neck by transfering
> all files back and forth over the network.
> 
> So, my idea was to somehow separate the two steps that GnuPG performs
> under the hood when signing, creating the message digest (hash) and
> the signing of this message digest.  I've found `--print-md` which
> looks promising, but there doesn't seem to be any `--sign-md`.
 
If mountain won't come to you, go to the mountain.

If you don't want to store the secret key on the build server and you
don't want to copy the files over the network to a trusted server, can
you access the secret key over the network and do the gpg stuff on the
build server?  I.e. pipe the secret key through ssh?

I wonder about the latest comment on this thread.  Examine why you don't
want the secret key on the build server and why you would feel more
secure with the signing done on a separate server.

Doug.