Signing a file given its hash only
Wiktor Kwapisiewicz
wiktor at metacode.biz
Mon Jun 2 11:30:41 CEST 2025
Hi Richard,
> On Tue, May 20, 2025 at 10:09?AM Werner Koch <wk at gnupg.org> wrote:
>> Many years ago we pondered wit this idea. However it is complicated
>> because *PGP does not simpluy sign a hash but has a prefix and a suffix
>> to append. Thus for signing we would need to provide a tool which takes
>> some internal hash context, continue to has the file, and let gpg
>> finalize the hashing. This is a bit ugly and would raise problems with
>> certifications etc.
>
> OK, I see that by signing a hash it is not feasible to obtain the
> signature for the file hashed.
I had the same problem in a remote signer project that we're working on.
We've analyzed technical differences between OpenPGP, SSH file
signatures and X.509 [0]. SSH and X.509 have the benefit that they
double-wrap the digest (that is first they compute the file digest, then
embed that in a different structure and then sign that). Which makes it
trivial to implement remote signing (or blind signing, where the signer
only knows the digest of the data being signed).
With OpenPGP v4 signatures (which are the most widely used type in
circulation) the hasher first hashes a file and then appends PGP packets
(as if they were appended to the end of the file). This is described in
detail in section 5.2.3 of RFC 4880 [1]. Note that there is no prefix
(it seems to be the same for v5 signatures [2]).
Since, in Signstar, we control both the server and the client we were
able to workaround the problem by sending hasher's *state* (not the
digest) from the client to the server. This allows the client to compute
the state up to the final bit of the hashed data and the server can both
1) recover the file digest (by finalizing the hasher state) 2) continue
hashing the PGP packets (obtaining the final digest to be signed).
It's not as straightforward as with SSH/X.509 but it works and may be
relevant to your use-case.
Happy to answer any questions you may have and if not... well... have a
nice day, anyway! :)
Kind regards,
Wiktor
[0]:
https://gitlab.archlinux.org/archlinux/signstar/-/blob/main/signstar-request-signature/resources/docs/design.md?ref_type=heads
[1]: https://www.rfc-editor.org/rfc/rfc4880#section-5.2.3
[2]:
https://www.ietf.org/archive/id/draft-koch-librepgp-03.html#name-version-4-and-5-signature-p
More information about the Gnupg-users
mailing list