[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Remote signing of large files



Douglas A. Tutty wrote:
> On Thu, Dec 04, 2008 at 12:26:31PM +0000, Magnus Therning wrote:
>> At work I want to add signing to our automatic build system.  In
>> theory it's a simple application of `gpg` at the end of building to
>> get a detached signature would do, but I'm weary of sticking the
>> secret key on the build servers.  I'd feel a bit more safe if the
>> signing could be done on a separate server.  However, the built files
>> are large and I don't want to introduce a bottle neck by transfering
>> all files back and forth over the network.
>>
>> So, my idea was to somehow separate the two steps that GnuPG performs
>> under the hood when signing, creating the message digest (hash) and
>> the signing of this message digest.  I've found `--print-md` which
>> looks promising, but there doesn't seem to be any `--sign-md`.
>  
> If mountain won't come to you, go to the mountain.
> 
> If you don't want to store the secret key on the build server and you
> don't want to copy the files over the network to a trusted server, can
> you access the secret key over the network and do the gpg stuff on the
> build server?  I.e. pipe the secret key through ssh?

Ah, yes that's a good idea, I'll have to explore that option.

> I wonder about the latest comment on this thread.  Examine why you don't
> want the secret key on the build server and why you would feel more
> secure with the signing done on a separate server.

Well, the main reason is that there are _a_lot_ of people with direct
access to the build server.  The idea is to find a way to limit people's
_direct_ access to the server with the keys.  I know there are problems,
but hopefully it doesn't require too much work to at least achieve some
traceability in such a setup.

/M

-- 
Magnus Therning                             (OpenPGP: 0xAB4DFBA4)
magnus@therning.org             Jabber: magnus@therning.org
http://therning.org/magnus

Haskell is an even 'redder' pill than Lisp or Scheme.
     -- PaulPotts

Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: