On Sun, Jun 12, 2011 at 4:19 AM, Rémy Oudompheng <[email protected]> wrote: > I personally vote for signing the hash, but not for having two sorts > of signatures. Isn't there any way to split GnuPG's code into the > hashing part and the encryption part? > > Rémy.
>From the [email protected] mailing list: On Mon, Jun 13, 2011 at 3:47 AM, Werner Koch <[email protected]> wrote: > On Sun, 12 Jun 2011 23:15, [email protected] said: > > Is it possible to generate the digest for a file, and then create the > > signature from that digest later? > > No, this is not possible. We once considered to implement such a > feature but dropped that plan. The technical problem is that with > OpenPGP you don't just sign a plain hash of the message but the hash of > a modified message (in text mode) and further the hash includes a few > magic bytes. Thus to implement such a feature we we would need to do a > incomplete hash on the server and complete it on the client. It is > doable but would look ugly. > > My suggestion is to sign a the hash of the file; i.e. create a file with > the SHA-x digests on the remote box, download it and sign it on the > local box. So, no (unless we create our own implementation, but that'd be more complicated than just accepting signed hashes). -Kerrick Staley
