On Thu, Dec 4, 2008 at 12:30 PM, Thomas Karpiniec <[EMAIL PROTECTED]> wrote: > Hi Magnus, > > Magnus Therning wrote: >> At work I want to add signing to our automatic build system. In >> theory it's a simple application of `gpg` at the end of building to >> get a detached signature would do, but I'm weary of sticking the >> secret key on the build servers. I'd feel a bit more safe if the >> signing could be done on a separate server. However, the built files >> are large and I don't want to introduce a bottle neck by transfering >> all files back and forth over the network. > > Would it be sufficiently secure to take an SHA1SUM or similar hash of > the file on the remote side and sign that? > > Obviously that's not quite the same thing, but it would be a good deal > faster and might meet your needs.
It would be sufficiently secure, but unfortunately we've been doing manual signing for a while. Other tools we have depend on the signature being what gpg spits out when being fed the file rather than a hash of the file. Of course we could rewrite those tools, but there's an issue of backwards compatability so it will turn it into a harder sale. /M -- Magnus Therning (OpenPGP: 0xAB4DFBA4) magnus@therning.org Jabber: magnus@therning.org http://therning.org/magnus identi.ca|twitter: magthe
