How to sign a remote repository, i.e. forward agent

Joke de Buhr joke at
Thu Jul 1 10:21:29 CEST 2010

Here is some kind of suggestion which might be helpful in your case.

If I need to do signing or encrypting on remote hosts I use ssh to execute the 
signing command on a other remote machine in this case my local machine.  It 
doesn't work in any case but in some cases like git tag signing, email signing 
or signing of files.

On the machine you want to do the signing/encrypting job create a wrapper 
shell-script called gpg. Put it somewhere first in path so the application 
which wants to call gpg calls the wrapper script instead. If you can specify 
which command to use point directly to the wrapper script.

The wrapper script should execute the gpg command on your local machine using 
ssh like this.

    ssh username at /path/to/gpg_executable $*

The wrapper script will use ssh to run gpg "at home" where you keep your 
secret keys.

This kind of wrapping script is very limited. The application which wants to 
sign/encrypt something needs to pass the input data via stdin to gpg. Ssh will 
transfer the data back home run the gpg command there and send it back.

If your application wants to call gpg in a way like this it doesn't work:
   gpg --sign input.temp --output output.temp

But you could obviously rewrite the wrapper script like this.

    cat $2 | ssh username at /path/to/gpg_executable \
        $* >  $4

You need to do some testing how your application calls gpg.

On Tuesday 29 June 2010 21:40:37 Carsten Aulbert wrote:
> Hi all (please cc me on any reply),
> this question has come up here in the past but I've never found *any* reply
> so far.
> My problem is relatively simple. We provide a (Debian) repository for our
> colleagues as well as ourselves and would like to sign it (for the experts:
> reprepro's export option). Of course one could either copy around the
> secret keyring and start the agent remotely or type the passphrase many
> times, but straight from the FAQ this is not a good idea(TM).
> Now the notorious question: Does anyone know how to forward the agent's
> socket to the remote machine? I've briefly tried socat (remote unix socket
> to tcp port, ssh tunnel of this port and then socat again to link the
> forwarded port to the existing socket) but so far to no avail.
> Anyone with an idea how to accomplish this?
> Thanks a lot in advance
> Carsten
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 706 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20100701/42f5e298/attachment.pgp>

More information about the Gnupg-users mailing list