No, it's the other way. A PGP signature does embed information about all
sorts of things, including whether it is the signature of a file or signature
over a certificate.
I think it really boils down to the details are significant. It's
not really the signature packet that is relevant, but
Does the (mathematical) signature differ between data sigs and certs
in any way besides the varying hash?
Does that matter and why?
If only the hash varies, you need the data to be sure that the hash is
for a data sig (based on a previous discussion the hash is prefixed
with the data vs. cert
for a data sig (based on a previous discussion the hash is prefixed
(referring to the data that is hashed, and emphasis on prefixed vs. postfixed)
--
Jerome Baum
tel +49-1578-8434336
email jer...@jeromebaum.com
web www.jeromebaum.com
--
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
On Sun, 12 Jun 2011 23:15, m...@kerrickstaley.com said:
Is it possible to generate the digest for a file, and then create the
signature from that digest later?
No, this is not possible. We once considered to implement such a
feature but dropped that plan. The technical problem is that with
On Sun, Jun 12, 2011 at 7:54 PM, Jerome Baum jer...@jeromebaum.com wrote:
The databases (lists) are not very large, as far as I understand, but
it wasn't my call (repositories in the 4th line is a typo; I meant
databases). I'm not an Arch Linux developer; I'm just contributing
to their effort
On Mon, Jun 13, 2011 at 3:47 AM, Werner Koch w...@gnupg.org wrote:
On Sun, 12 Jun 2011 23:15, m...@kerrickstaley.com said:
Is it possible to generate the digest for a file, and then create the
signature from that digest later?
No, this is not possible. We once considered to implement such a
Am Montag, 13. Juni 2011, 17:15:59 schrieb Dan McGee:
I did suggest [2] signing package hashes as one possible option
I just realize that this does not solve the you don't know what you sign
argument at all. Whether you sign a file or the hash of that file is usually
not a difference to the
I would like to have the possibility to pass the hash to be signed.
We had a discussion about smart-card signatures here and basically the
issue with passing just a hash is that you can't distinguish data
signatures from certifications/key signatures.
So, you might trust the remote server to
We had a discussion about smart-card signatures here and basically the
issue with passing just a hash is that you can't distinguish data
signatures from certifications/key signatures.
To clarify, you can't tell from the hash, and you can't really add a
packet I'm signing data here vs. I'm
On 06/13/2011 01:05 PM, Jerome Baum wrote:
Of course, you could solve this problem by signing with a sub-key,
which isn't meant to certify other keys. I do wonder how e.g. PGP
would react on seeing a key certification from a sub-key.
it should depend on whether the key usage flags for the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
El 13-06-2011 11:39, Hauke Laging escribió:
...
I would like to have the possibility to pass the hash to be signed.
I suppose if the hash is sent using a secure connection, it should
be safe enough. But that option, no doubt, would be an expert
Just to make sure that I'm understanding this, a complete PGP signature does
not embed information about whether it is the signature of a file or the
signature of a certificate, so it's a bad idea to sign a remotely generated
digest?
-Kerrick Staley
On Mon, Jun 13, 2011 at 5:36 PM, Faramir
On Tue, Jun 14, 2011 at 02:31, Kerrick Staley m...@kerrickstaley.com wrote:
Just to make sure that I'm understanding this, a complete PGP signature does
not embed information about whether it is the signature of a file or the
signature of a certificate, so it's a bad idea to sign a remotely
On Jun 13, 2011, at 8:31 PM, Kerrick Staley wrote:
Just to make sure that I'm understanding this, a complete PGP signature does
not embed information about whether it is the signature of a file or the
signature of a certificate, so it's a bad idea to sign a remotely generated
digest?
No,
Hello,
Is it possible to generate the digest for a file, and then create the
signature from that digest later?
I'm making this inquiry because developers for the Arch Linux distribution
need a way to sign databases (lists of software packages) on the central
repository (package server) without
On Sun, Jun 12, 2011 at 5:37 PM, Jerome Baum jer...@jeromebaum.com wrote:
On Sun, Jun 12, 2011 at 23:15, Kerrick Staley m...@kerrickstaley.com wrote:
Is it possible to generate the digest for a file, and then create the
signature from that digest later?
Problem is, you don't know what
Is it possible to generate the digest for a file, and then create the
signature from that digest later?
Problem is, you don't know what you're signing.
I realize that this is a problem; however, it considered to be an
acceptable risk. The same problem happens if the developers sign a
On Sun, Jun 12, 2011 at 23:15, Kerrick Staley m...@kerrickstaley.com wrote:
Is it possible to generate the digest for a file, and then create the
signature from that digest later?
Problem is, you don't know what you're signing.
--
Jerome Baum
tel +49-1578-8434336
email jer...@jeromebaum.com
On 13/06/11 9:16 AM, Jerome Baum wrote:
Who makes these considerations?
In any case, what kind of database is this that it's too much of a
hassle to copy over? What size, etc.?
Given this line from the original post, developers for the Arch Linux
distribution need a way to sign databases
In any case, what kind of database is this that it's too much of a
hassle to copy over? What size, etc.?
Given this line from the original post, developers for the Arch Linux
distribution need a way to sign databases (lists of software packages)
on the central repository (package server)
Given this line from the original post, developers for the Arch Linux
distribution need a way to sign databases (lists of software packages)
on the central repository (package server) without having to copy those
repositories to their local computer and back I'm guessing that it'd be
at least
The databases (lists) are not very large, as far as I understand, but
it wasn't my call (repositories in the 4th line is a typo; I meant
databases). I'm not an Arch Linux developer; I'm just contributing
to their effort to implement package signing.
Individual packages will be signed, but
22 matches
Mail list logo
