Douglas A. Tutty wrote: > On Thu, Dec 04, 2008 at 12:26:31PM +0000, Magnus Therning wrote: >> At work I want to add signing to our automatic build system. In >> theory it's a simple application of `gpg` at the end of building to >> get a detached signature would do, but I'm weary of sticking the >> secret key on the build servers. I'd feel a bit more safe if the >> signing could be done on a separate server. However, the built files >> are large and I don't want to introduce a bottle neck by transfering >> all files back and forth over the network. >> >> So, my idea was to somehow separate the two steps that GnuPG performs >> under the hood when signing, creating the message digest (hash) and >> the signing of this message digest. I've found `--print-md` which >> looks promising, but there doesn't seem to be any `--sign-md`. > > If mountain won't come to you, go to the mountain. > > If you don't want to store the secret key on the build server and you > don't want to copy the files over the network to a trusted server, can > you access the secret key over the network and do the gpg stuff on the > build server? I.e. pipe the secret key through ssh? Ah, yes that's a good idea, I'll have to explore that option. > I wonder about the latest comment on this thread. Examine why you don't > want the secret key on the build server and why you would feel more > secure with the signing done on a separate server. Well, the main reason is that there are _a_lot_ of people with direct access to the build server. The idea is to find a way to limit people's _direct_ access to the server with the keys. I know there are problems, but hopefully it doesn't require too much work to at least achieve some traceability in such a setup. /M -- Magnus Therning (OpenPGP: 0xAB4DFBA4) magnus@therning.org Jabber: magnus@therning.org http://therning.org/magnus Haskell is an even 'redder' pill than Lisp or Scheme. -- PaulPotts
Attachment:
signature.asc
Description: OpenPGP digital signature