skl99...@gmx.net (02.02.2009 23:25): > Hello, > > is there a possibility to have gpg2 make a detached cleartext > signature? I only seem to be able to have it do either the one or the > other.
gpg --armor --detach-sign --sign > And the more complex follow on question for all the crypto experts > out there: the reason why I want to do that is because I would like > to timestamp some files, eg using www.itconsult.co.uk/stamper.htm. I wouldn't consider Stamper's keys as secure. They date back to 1995, they are a v3 keys, they are even not self-signed so it's not so easy to even import them on the keyring. Try using something like this: http://timemarker.org/en/ > Now my thought was that I do not really send the file itself (which > might be rather big) but that I could sign the file and then > timestamp the signature. Would this be enough (1), and would it > matter if the password of my signature key would become compromised > (2)? May guess is (1) yes, (2) no because I am really only making use > of the hashing algorithm, and indeed I also could simply timestamp a > hash (is this true?). Using a hash value from a secure hash algorithm will suffice. Keep in mind that you should timestamp not a hash value alone, but a hash value along with the name of hashing algorithm, e.g. SHA256:1234ABCD0987... > The reason that I want to to have a timestamped detached cleartext > signature is that I believe that this is a bit more stable than a > timestamped detached signature of a binary - views on this? What do you mean by stable? -- SATtva | security & privacy consulting www.vladmiller.info | www.pgpru.com
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users