Signing a file given its hash only
Jay Acuna
mysidia at gmail.com
Wed May 14 00:58:56 CEST 2025
On Tue, May 13, 2025 at 5:20 PM Richard Stoughton via Gnupg-users
<gnupg-users at gnupg.org> wrote:
> Hi,
>
> We have three servers H -> M -> L with high, medium, and low security.
> The private signature key is known to H only and must never leave H.
>
> The question is: Is it possible to gpg-sign a file given its hash only?
Your options with GPG are essentially to sign a text file or message
that lists the hash.
Then have L verify the GPG signature and then verify the hash listed
in the signed file matches the file to be verified.
Or you can forward the Gpg-agent from H to M using remote gpg agent
forwarding over SSH,
and run the Gpg signing command on M, so that M performs the hashing
and H performs the key operation.
Or files on M could possibly be made available to H using a
network-based mount, such as SSHFS or NFS.
Other than that; the GPG client had to have access to a file in order
for it to be capable of signing that file.
--
-JA
More information about the Gnupg-users
mailing list