computing detached signature for a batch of files

[David Shaw]

On Tue, Sep 09, 2003 at 10:26:15PM +0200, Alexandre Duret-Lutz wrote:
> Hi people,
> 
> I'm using gpg to build detached signatures for packages.
> When doing so, I generally have several files to sign.
> For instance I may have to sign foo-1.1.tar.gz and foo-1.1.tar.bz2.
> 
> It's a burden to type my pass-phrase for each file I want to sign.
> Is there any way I could do this and still type my pass-phrase only once?
> 
> I've already tried "gpg --detach-sign foo-1.1.tar.gz foo-1.1.tar.bz2",
> but that creates one signature instead of two signatures (I assume
> this is the signature for the concatenation of both files, but I haven't
> checked).

You assume correctly.  It is the concatenation of both files.

There is no way to do what you want inside of GnuPG itself (though as
it happens, it's on my list of stuff to add at some point).  You could
write a script to do it, but of course the script would have to know
the passphrase... and will thus be in insecure memory.  Only you can
decide whether this is a problem or not.

Another solution is to use the gpg-agent.  This caches your passphrase
in a secure manner.

David