Signing a file given its hash only
Richard Stoughton
kyrieuon at gmail.com
Tue May 13 23:18:19 CEST 2025
Hi,
We have three servers H -> M -> L with high, medium, and low security.
The private signature key is known to H only and must never leave H.
Artifacts that must be signed are produced on M which is capable of
calculating hashes (e.g. SHA-256 hashes). H has the ability to read
these hashes but cannot access the artifacts.
The artifacts are then being transported to L where they are
considered valid if there is also a valid signature for them. H is
expected to push the respective signatures to L.
The question is: Is it possible to gpg-sign a file given its hash only?
--
Thanks in advance,
Alex
More information about the Gnupg-users
mailing list