Signing a file given its hash only

Sun Jun 1 19:36:34 CEST 2025

On Mon, May 19, 2025 at 6:08 PM Jay Acuna <mysidia at gmail.com> wrote:
>
> On Sun, May 18, 2025 at 6:58 AM Richard Stoughton <kyrieuon at gmail.com> wrote:
> > To "sign" the hash on M, it would be necessary to inject a one-time
> > secret  (e.g. a OpenPGP private key
>
> This would seem to invalidate H's purpose for existing. At that point
> may as well backup the keys on H
> & move its signing subkey to a USB GPG Card.  Install the card-based
> keypairs on M,
> and remove H from the process.
>
> The card provides M a means to sign only at the time that physical
> card is inserted,
> w/the correct PIN is entered, and M never gains access to read the secret.

Currently M are short-lived cloud instances that run the build process
without user interaction. I don't see how to use a HSM or similar
hardware in this case.