Remote signing?

David Shaw dshaw at jabberwocky.com
Sun Feb 19 21:19:30 CET 2006


On Sun, Feb 19, 2006 at 06:07:56AM +0100, Matthias Urlichs wrote:
> Hello,
> 
> I need to sign files remotely. They're moderately large, so transmitting
> them back to my firewalled-off laptop (I'm usually behind a slow line),
> where the secret key lives, isn't a good idea.

You have two good options.  Which is the best option depends on your
exact circumstances.

The first option is to hash the files remotely, with something like:

  gpg --print-md sha256 (thefile)

and then make a text file of hashes on your local laptop and sign that
text file.  This option presumes that the link between the remote
machine and your local machine is secure so that someone replacing the
hash between the remote and local machine is not a risk.

The other option is to make a new key (or new subkey) that can live on
the remote machine.  This key would be signed with your main key so
there is a chain of trust.  The disadvantage here is that if the
remote machine (and thus the key living there) is compromised, the
attacker may issue signatures using that key.  You can revoke the key,
of course, but this assumes that the recipients can get the
revocation.

David



More information about the Gnupg-users mailing list