On Wed, May 14, 2025 at 12:59 AM Jay Acuna <[email protected]> wrote: > Your options with GPG are essentially to sign a text file or message > that lists the hash. > Then have L verify the GPG signature and then verify the hash listed > in the signed file matches the file to be verified.
To "sign" the hash on M, it would be necessary to inject a one-time secret (e.g. a OpenPGP private key, or a symmetric key) known only to H into the build process on M. Then M would sign the hash or create a MAC that could later be checked by H before actually signing the artifact. Unfortunately, this is currently not possible. Our best option at this time is to compare the hashes of the artifacts deployed on L with their hashes written to a log on M during the build process, before H creates the final signatures. This could be done in a much more efficient way if GnuPG would be able to create signatures with hashes instead of the complete file content as input. > Or you can forward the Gpg-agent from H to M using remote gpg agent > forwarding over SSH, > and run the Gpg signing command on M, so that M performs the hashing > and H performs the key operation. > > Or files on M could possibly be made available to H using a > network-based mount, such as SSHFS or NFS. > Other than that; the GPG client had to have access to a file in order > for it to be capable of signing that file. Unfortunately, there is no way to connect H with M, neither via agent forwarding nor via SSH/NFS/SMB. On Wed, May 14, 2025 at 12:59 AM Jay Acuna <[email protected]> wrote: > > On Tue, May 13, 2025 at 5:20 PM Richard Stoughton via Gnupg-users > <[email protected]> wrote: > > Hi, > > > > We have three servers H -> M -> L with high, medium, and low security. > > The private signature key is known to H only and must never leave H. > > > > The question is: Is it possible to gpg-sign a file given its hash only? > > > Your options with GPG are essentially to sign a text file or message > that lists the hash. > Then have L verify the GPG signature and then verify the hash listed > in the signed file matches the file to be verified. > > Or you can forward the Gpg-agent from H to M using remote gpg agent > forwarding over SSH, > and run the Gpg signing command on M, so that M performs the hashing > and H performs the key operation. > > Or files on M could possibly be made available to H using a > network-based mount, such as SSHFS or NFS. > Other than that; the GPG client had to have access to a file in order > for it to be capable of signing that file. > > -- > -JA _______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
