Generate digest and signature seperately
Kerrick Staley
mail at kerrickstaley.com
Mon Jun 13 17:12:14 CEST 2011
On Mon, Jun 13, 2011 at 3:47 AM, Werner Koch <wk at gnupg.org> wrote:
> On Sun, 12 Jun 2011 23:15, mail at kerrickstaley.com said:
>
>> Is it possible to generate the digest for a file, and then create the
>> signature from that digest later?
>
> No, this is not possible. We once considered to implement such a
> feature but dropped that plan. The technical problem is that with
> OpenPGP you don't just sign a plain hash of the message but the hash of
> a modified message (in text mode) and further the hash includes a few
> magic bytes. Thus to implement such a feature we we would need to do a
> incomplete hash on the server and complete it on the client. It is
> doable but would look ugly.
>
> My suggestion is to sign a the hash of the file; i.e. create a file with
> the SHA-x digests on the remote box, download it and sign it on the
> local box.
OK, that answers my question. I think we'll go with the hash-signing
implementation. Thanks!
-Kerrick Staley
More information about the Gnupg-users
mailing list