Way to split MD and signing

Werner Koch wk at gnupg.org
Mon Dec 8 12:48:18 CET 2008

On Thu,  4 Dec 2008 11:42, magnus at therning.org said:

> I have an automated system that generates a lot of large files.  I
> want to sign these files, but I want to keep the secret key on a more

You are not the first to ask about it.  IIRC, there is even a feature
request in the tracker.

The problem is that with OpenPGP you don't just sign the plain message
digest of the data but the message digest also includes some trailer
data.  Thus you can't just pass gpg a message digest but you need to
pass it the internal context of the hash algorithm (chaining variable
and length of already hased data).  This is in the theory possible but
there has not been enough demand to do implement that.

The usual workaround is to create a file with the digest, send to the
otehr box and sign that file.

Another approach would be to extend gpg's channel to gpg-agent's to
allow for a remote connection.  Along with the envisioned gpg which uses
gpg-agent to perform all operations involving the secret key, this woul
make up a nice solution.



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-users mailing list