Boyd Stephen Smith Jr. wrote: > On Thursday 04 December 2008, "Magnus Therning" <[EMAIL PROTECTED]> wrote > about 'Remote signing of large files': >> I'd feel a bit more safe if the >> signing could be done on a separate server. However, the built files >> are large and I don't want to introduce a bottle neck by transfering >> all files back and forth over the network. > > In any case, you'd only have to send big files in one direction, the > detached signatures should be relatively small.
True, but with large files it still is too much time spent sending files over the network. >> So, my idea was to somehow separate the two steps that GnuPG performs >> under the hood when signing, creating the message digest (hash) and >> the signing of this message digest. I've found `--print-md` which >> looks promising, but there doesn't seem to be any `--sign-md`. > > A detached signature is, mathematically, the message digest run thorough > the encrypt() function. [Encrypting with the private key allows anyone > with the public key to decrypt to the digest "plaintext" which they can > compare to a locally calculated message digest, thus verifying the > signature. They can also be assured that the signature is from the owner > of the private key, or that the private key has been compromised.] > > So, you might try --encrypt'ing the output of --print-md. AFAIU it wouldn't work: 1. Encrypting is actually using a symmetric algorithm for the bulk of the data and asymmetric crypto is only used to encrypt the symmetric key. In any case I don't think I can get `--encrypt` to use the private key. 2. AFAIU signing always signs a message digest, no matter what type of data I stick in. So signing the output of `--print-md` wouldn't do since verification would require a manual step. /M -- Magnus Therning (OpenPGP: 0xAB4DFBA4) magnus@therning.org Jabber: magnus@therning.org http://therning.org/magnus Haskell is an even 'redder' pill than Lisp or Scheme. -- PaulPotts
signature.asc
Description: OpenPGP digital signature
