How to sign a remote repository, i.e. forward agent
Joke de Buhr
joke at seiken.de
Thu Jul 1 10:21:29 CEST 2010
Here is some kind of suggestion which might be helpful in your case.
If I need to do signing or encrypting on remote hosts I use ssh to execute the
signing command on a other remote machine in this case my local machine. It
doesn't work in any case but in some cases like git tag signing, email signing
or signing of files.
On the machine you want to do the signing/encrypting job create a wrapper
shell-script called gpg. Put it somewhere first in path so the application
which wants to call gpg calls the wrapper script instead. If you can specify
which command to use point directly to the wrapper script.
The wrapper script should execute the gpg command on your local machine using
ssh like this.
ssh username at address.to.your.local.host /path/to/gpg_executable $*
The wrapper script will use ssh to run gpg "at home" where you keep your
This kind of wrapping script is very limited. The application which wants to
sign/encrypt something needs to pass the input data via stdin to gpg. Ssh will
transfer the data back home run the gpg command there and send it back.
If your application wants to call gpg in a way like this it doesn't work:
gpg --sign input.temp --output output.temp
But you could obviously rewrite the wrapper script like this.
cat $2 | ssh username at address.to.your.local.host /path/to/gpg_executable \
$* > $4
You need to do some testing how your application calls gpg.
On Tuesday 29 June 2010 21:40:37 Carsten Aulbert wrote:
> Hi all (please cc me on any reply),
> this question has come up here in the past but I've never found *any* reply
> so far.
> My problem is relatively simple. We provide a (Debian) repository for our
> colleagues as well as ourselves and would like to sign it (for the experts:
> reprepro's export option). Of course one could either copy around the
> secret keyring and start the agent remotely or type the passphrase many
> times, but straight from the FAQ this is not a good idea(TM).
> Now the notorious question: Does anyone know how to forward the agent's
> socket to the remote machine? I've briefly tried socat (remote unix socket
> to tcp port, ssh tunnel of this port and then socat again to link the
> forwarded port to the existing socket) but so far to no avail.
> Anyone with an idea how to accomplish this?
> Thanks a lot in advance
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 706 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-users