Signing a file given its hash only
vedaal at nym.hush.com
vedaal at nym.hush.com
Wed May 14 01:11:26 CEST 2025
On 5/13/2025 at 6:22 PM, "Richard Stoughton via Gnupg-users"
wrote:Hi,
We have three servers H -> M -> L with high, medium, and low security.
The private signature key is known to H only and must never leave H.
Artifacts that must be signed are produced on M which is capable of
calculating hashes (e.g. SHA-256 hashes). H has the ability to read
these hashes but cannot access the artifacts.
The artifacts are then being transported to L where they are
considered valid if there is also a valid signature for them. H is
expected to push the respective signatures to L.
The question is: Is it possible to gpg-sign a file given its hash
only?
=====
The same thing can be accomplished by having H sign the hash itself.
Assuming that the signing algorithm is secure, then anyone reading L,
and having M's public key, can verify that the hash from M, matches
the artifact on L.
- vedaal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250513/e7e0ffdc/attachment.html>
More information about the Gnupg-users
mailing list