Generate digest and signature seperately

Kerrick Staley mail at
Mon Jun 13 17:12:14 CEST 2011

On Mon, Jun 13, 2011 at 3:47 AM, Werner Koch <wk at> wrote:
> On Sun, 12 Jun 2011 23:15, mail at said:
>> Is it possible to generate the digest for a file, and then create the
>> signature from that digest later?
> No, this is not possible.  We once considered to implement such a
> feature but dropped that plan.  The technical problem is that with
> OpenPGP you don't just sign a plain hash of the message but the hash of
> a modified message (in text mode) and further the hash includes a few
> magic bytes.  Thus to implement such a feature we we would need to do a
> incomplete hash on the server and complete it on the client.  It is
> doable but would look ugly.
> My suggestion is to sign a the hash of the file; i.e. create a file with
> the SHA-x digests on the remote box, download it and sign it on the
> local box.

OK, that answers my question. I think we'll go with the hash-signing
implementation. Thanks!

-Kerrick Staley

More information about the Gnupg-users mailing list