On Tue, May 13, 2025 at 5:20 PM Richard Stoughton via Gnupg-users <[email protected]> wrote: > Hi, > > We have three servers H -> M -> L with high, medium, and low security. > The private signature key is known to H only and must never leave H. > > The question is: Is it possible to gpg-sign a file given its hash only?
Your options with GPG are essentially to sign a text file or message that lists the hash. Then have L verify the GPG signature and then verify the hash listed in the signed file matches the file to be verified. Or you can forward the Gpg-agent from H to M using remote gpg agent forwarding over SSH, and run the Gpg signing command on M, so that M performs the hashing and H performs the key operation. Or files on M could possibly be made available to H using a network-based mount, such as SSHFS or NFS. Other than that; the GPG client had to have access to a file in order for it to be capable of signing that file. -- -JA _______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
