gnupg 'signing server'? Looking for advice on key management/security

Alexander Leidinger Alexander at
Mon Nov 13 09:04:26 CET 2023

Am 2023-11-13 07:09, schrieb Stephan Verbücheln via Gnupg-users:
> On Sun, 2023-11-12 at 19:46 -0600, Jacob Bachmeyer wrote:
>> A PIN does not solve the problem, since the PIN is entered on
>> the device, which could be backdoored to store the PIN
> That's why card readers with pinpads were invented, and GnuPG also
> supports that:
> Other ideas to improve isolation:
> * If you trust your Linux distribution in general but not every single
> desktop app, you can use a separate Linux user for sensitive
> activities.
> * You can use GnuPG Agent Forwarding via SSH to sign a file on a less
> trusted server from a more trusted client. This way your PIN is entered
> on the more trusted client machine.

What can you sign?
Non-complete answer:
  - git commits
  - files
  - emails

How can you sign emails?
Non-complete answer:
  - webmail interface
  - MUA with pgp support

 From which systems can you use such email signatures?
Non-complete answer:
  - Android
  - iOS
  - Windows
  - MacOS
  - Linux
  - FreeBSD
  - your TV (e.g. if it has a web browser)

Yubikey or similar and agent forwarding can't be used when I am not at 
home and access my webmail interface (I want to have a big screen for 
certain emails), typically this is not supported by a webmail interface.
Agent forwarding can't be used for this use case too.
I'm interested to hear about a Android App which supports yubikeys, but 
this is curiosity, as it doesn't help with the above case of a webmail 

Right now, there is no solution which allows an android app, a webmail 
interface from the work-PC and a MUA or webmail interface on/from your 
PC at home (no matter which OS) to use _1_ central location of your 
private key (so far you may be able to have it stored in your webmail 
solution, and on your yubikey for apps/git/files but the last part 
depends on something which is able to forward it to remote locations, 
which doesn't work if you need to use a web-interface based ssh gateway 
solution instead of direct ssh access). Feel free to prove me wrong, I 
would love to have a solution for this.

Note, while looking up something related, I found an old German overview 
about the email-apps situation from the authors of GPG for the German 
ministry of information security:
I have fast-read some parts and it looks like the situation hasn't 
really changed in the last 8 years.

If you think about it (I just invested 1 minute), you would need:
  - some server with your private key which is reachable from everywhere
  - a safe authentication possibility to it
  - a remote signing protocol
  - support in all apps/MUAs/...

One could argue, that you put OIDC in front of gnupg-agent on a network 
socket and you have covered the 3 first items (but I would bet it is not 
as simple as that). Then it would be simply support in all the 
apps/MUAs/... (webmail interfaces which use gnupg-agent already, would 
be simple to convert if gnupg-agent would have a proxy feature which 
would connect to the remote agent).


-- Alexander at PGP 0x8F31830F9F2772BF    netchild at  : PGP 0x8F31830F9F2772BF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list