<html><head></head><body><div dir="auto">
Hi there,
</div>
<div dir="auto">
<div style="; font-style: normal; ; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; ; -webkit-text-stroke-width: 0px; text-decoration: none; unicode-bidi: plaintext; ; outline: currentcolor; ; ;San Francisco", Helvetica, Arial, sans-serif; -webkit-text-size-adjust: none;" dir="auto">
<br style="unicode-bidi: plaintext; ;">
</div>
<div style="; font-style: normal; ; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; ; -webkit-text-stroke-width: 0px; text-decoration: none; unicode-bidi: plaintext; ; outline: currentcolor; ; ;San Francisco", Helvetica, Arial, sans-serif; -webkit-text-size-adjust: none;" dir="auto">
Unless I’m missing something, this is a pattern I see used in release management where a list of SHA256 checksums for deliverables are provided in a file, and that checksum file is then clearsigned (or detached if you prefer). Also known also “signing your checksums file.”
</div>
<div style="; font-style: normal; ; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; ; -webkit-text-stroke-width: 0px; text-decoration: none; unicode-bidi: plaintext; ; outline: currentcolor; ; ;San Francisco", Helvetica, Arial, sans-serif; -webkit-text-size-adjust: none;" dir="auto">
<br style="unicode-bidi: plaintext; ;">
</div>
<div style="; font-style: normal; ; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; ; -webkit-text-stroke-width: 0px; text-decoration: none; unicode-bidi: plaintext; ; outline: currentcolor; ; ;San Francisco", Helvetica, Arial, sans-serif; -webkit-text-size-adjust: none;" dir="auto">
Examples:
</div>
<div style="; font-style: normal; ; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; ; -webkit-text-stroke-width: 0px; text-decoration: none; unicode-bidi: plaintext; ; outline: currentcolor; ; ;San Francisco", Helvetica, Arial, sans-serif; -webkit-text-size-adjust: none;" dir="auto">
-
<a style="unicode-bidi: plaintext; ; ;" dir="auto" href="https://releases.ubuntu.com/focal/">https://releases.ubuntu.com/focal/</a>
</div>
<div style="; font-style: normal; ; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; ; -webkit-text-stroke-width: 0px; text-decoration: none; unicode-bidi: plaintext; ; outline: currentcolor; ; ;San Francisco", Helvetica, Arial, sans-serif; -webkit-text-size-adjust: none;" dir="auto">
-
<a style="unicode-bidi: plaintext; ; ;" dir="auto" href="https://www.debian.org/CD/verify">https://www.debian.org/CD/verify</a>
</div>
<div style="; font-style: normal; ; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; ; -webkit-text-stroke-width: 0px; text-decoration: none; unicode-bidi: plaintext; ; outline: currentcolor; ; ;San Francisco", Helvetica, Arial, sans-serif; -webkit-text-size-adjust: none;" dir="auto">
<br style="unicode-bidi: plaintext; ;">
</div>
<div style="; font-style: normal; ; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; ; -webkit-text-stroke-width: 0px; text-decoration: none; unicode-bidi: plaintext; ; outline: currentcolor; ; ;San Francisco", Helvetica, Arial, sans-serif; -webkit-text-size-adjust: none;" dir="auto">
The security of this process in the scenario you described, however, would be contingent upon a) the transport security between M and H, and b) whether H in fact trusts M to produce valid and trustworthy checksums.
</div>
<div style="; font-style: normal; ; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; ; -webkit-text-stroke-width: 0px; text-decoration: none; unicode-bidi: plaintext; ; outline: currentcolor; ; ;San Francisco", Helvetica, Arial, sans-serif; -webkit-text-size-adjust: none;" dir="auto">
<br style="unicode-bidi: plaintext; ;">
</div>
<div style="; font-style: normal; ; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; ; -webkit-text-stroke-width: 0px; text-decoration: none; unicode-bidi: plaintext; ; outline: currentcolor; ; ;San Francisco", Helvetica, Arial, sans-serif; -webkit-text-size-adjust: none;" dir="auto">
Assuming everything is okay here, you then ship both the checksums file and its corresponding GPG signature to L. In this manner, H does not require access to artifacts on M due to their SHA256 representatives (presumed to be cryptographically ensured) and
<span style="; ; ;San Francisco", Helvetica, Arial, sans-serif; ; font-style: normal; ; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; ; -webkit-text-size-adjust: none; -webkit-text-stroke-width: 0px; ; text-decoration: none; display: inline !important; float: none;">L of course is presumed to be secure because it only involves the use of public keys, cryptography, and resultant signatures needing to be verified by external consumers, etc.</span>
</div>
<div style="; font-style: normal; ; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; ; -webkit-text-stroke-width: 0px; text-decoration: none; unicode-bidi: plaintext; ; outline: currentcolor; ; ;San Francisco", Helvetica, Arial, sans-serif; -webkit-text-size-adjust: none;" dir="auto">
<br style="unicode-bidi: plaintext; ;">
</div>
<div style="; font-style: normal; ; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; ; -webkit-text-stroke-width: 0px; text-decoration: none; unicode-bidi: plaintext; ; outline: currentcolor; ; ;San Francisco", Helvetica, Arial, sans-serif; -webkit-text-size-adjust: none;" dir="auto">
<span style="unicode-bidi: plaintext; ;" dir="auto">I would offer, though, that M should actually be considered just as sensitive as H since it is producing artifacts (aka attestations) that H is going to end up signing for. If you’re automating this (as in DevOps), consider supply chain threat scenarios and the implications of a compromised M producing some nullifying claim or malicious code that ends up getting certified as “valid” by H.</span>
<br style="unicode-bidi: plaintext; ;">
</div>
<div style="; font-style: normal; ; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; ; -webkit-text-stroke-width: 0px; text-decoration: none; unicode-bidi: plaintext; ; outline: currentcolor; ; ;San Francisco", Helvetica, Arial, sans-serif; -webkit-text-size-adjust: none;" dir="auto">
<span style="unicode-bidi: plaintext; ;" dir="auto"><br style="unicode-bidi: plaintext; ;"></span>
</div>
<div style="; font-style: normal; ; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; ; -webkit-text-stroke-width: 0px; text-decoration: none; unicode-bidi: plaintext; ; outline: currentcolor; ; ;San Francisco", Helvetica, Arial, sans-serif; -webkit-text-size-adjust: none;" dir="auto">Regards,</div><div style="; font-style: normal; ; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; ; -webkit-text-stroke-width: 0px; text-decoration: none; unicode-bidi: plaintext; ; outline: currentcolor; ; ;San Francisco", Helvetica, Arial, sans-serif; -webkit-text-size-adjust: none;" dir="auto"><br></div><div style="; font-style: normal; ; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; ; -webkit-text-stroke-width: 0px; text-decoration: none; unicode-bidi: plaintext; ; outline: currentcolor; ; ;San Francisco", Helvetica, Arial, sans-serif; -webkit-text-size-adjust: none;" dir="auto">Matt<br></div>
</div>
<div>
<br>
</div>
<div>
<br>
</div>On Tue, May 13, 2025 at 15:22, Richard Stoughton via Gnupg-users <
<a href="mailto:On Tue, May 13, 2025 at 15:22, Richard Stoughton via Gnupg-users <<a href=" class="">gnupg-users@gnupg.org</a>> wrote:
<blockquote class="protonmail_quote" type="cite">
Hi,
<br>
<br>We have three servers H -> M -> L with high, medium, and low security.
<br>
<br>The private signature key is known to H only and must never leave H.
<br>
<br>Artifacts that must be signed are produced on M which is capable of
<br>calculating hashes (e.g. SHA-256 hashes). H has the ability to read
<br>these hashes but cannot access the artifacts.
<br>
<br>The artifacts are then being transported to L where they are
<br>considered valid if there is also a valid signature for them. H is
<br>expected to push the respective signatures to L.
<br>
<br>The question is: Is it possible to gpg-sign a file given its hash only?
<br>
<br>
<br>--
<br>Thanks in advance,
<br>Alex
<br>
<br>_______________________________________________
<br>Gnupg-users mailing list
<br>Gnupg-users@gnupg.org
<br>https://lists.gnupg.org/mailman/listinfo/gnupg-users
<br>
</blockquote></body></html>