Re: Remote signing of large files

["Magnus Therning" <magnus@therning.org>]

On Thu, Dec 4, 2008 at 12:30 PM, Thomas Karpiniec <arctanx@arctanx.id.au> wrote:
> Hi Magnus,
>
> Magnus Therning wrote:
>> At work I want to add signing to our automatic build system.  In
>> theory it's a simple application of `gpg` at the end of building to
>> get a detached signature would do, but I'm weary of sticking the
>> secret key on the build servers.  I'd feel a bit more safe if the
>> signing could be done on a separate server.  However, the built files
>> are large and I don't want to introduce a bottle neck by transfering
>> all files back and forth over the network.
>
> Would it be sufficiently secure to take an SHA1SUM or similar hash of
> the file on the remote side and sign that?
>
> Obviously that's not quite the same thing, but it would be a good deal
> faster and might meet your needs.

It would be sufficiently secure, but unfortunately we've been doing
manual signing for a while.  Other tools we have depend on the
signature being what gpg spits out when being fed the file rather than
a hash of the file.  Of course we could rewrite those tools, but
there's an issue of backwards compatability so it will turn it into a
harder sale.

/M

-- 
Magnus Therning                        (OpenPGP: 0xAB4DFBA4)
magnus＠therning．org          Jabber: magnus＠therning．org
http://therning.org/magnus         identi.ca|twitter: magthe