On Mon, 19 May 2025 15:40, Richard Stoughton said: > creates the final signatures. This could be done in a much more > efficient way if GnuPG would be able to create signatures with hashes > instead of the complete file content as input.
Many years ago we pondered wit this idea. However it is complicated because *PGP does not simpluy sign a hash but has a prefix and a suffix to append. Thus for signing we would need to provide a tool which takes some internal hash context, continue to has the file, and let gpg finalize the hashing. This is a bit ugly and would raise problems with certifications etc. Our solution was to to implement remote signing. This allows to do the private key operations on your machines while the actual hashing and signing is done on the server. From a security POV this is the same as running only the bulk hashing on the server. If you don't like that, take the easy way and sign a manifest file with the hash values. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
