Hi, [ I'm Cc-ing Werner Koch on this ]
Wouter Verhelst: > On Tue, Dec 02, 2003 at 10:16:32PM +0100, Matthias Urlichs wrote: > > Hi, Henrique de Moraes Holschuh wrote: > > > > > On Tue, 02 Dec 2003, Wouter Verhelst wrote: > > >> So unless you have a suggestion that would solve this particular issue, > > >> I'm afraid this idea won't work in practice. > > > > > > We could verify if the gpg agent (gpa? I forget the name...) cannot do > > > this > > > over a secure channel. It should be able to, and if not, it can probably > > > be > > > taught to. > > > > It's not that easy (basically you need to tunnel the actual > > encryprion/signing function, not just the passphrase-getting). > > See ssh-agent as an example. > > > > The good thing is that people are already thinking about this. > > > > http://lists.gnupg.org/pipermail/gnupg-users/2003-April/017920.html > > Well, implemented as Werner suggests in that message would require me to > send the actual .deb over the line. I won't do that, ... and it doesn't make sense, since ... > As I understand it, an OpenPGP signature is an encrypted hash or > something similar of the actual data. It would be feasible if the > signature algorithm would allow for hashing the data on the remote > machine, and signing that hash locally. > ... that would work. It'd probably require a few hooks within GPG to generate a hash packet / . > Then again, we could do such things right now. Wouldn't it be more > interesting to gpg-sign md5sums of control.tar.gz and data.tar.gz? That makes a lot of sense; you can then compare md5sums independently. You can't directly compare detached signatures: they're timestamped and contain random data, AFAIK. Still, sending the to-be-signed file across the wire doesn't make sense. > Especially in the case of larger .debs, that would probably reduce the > actual signature size as well... ?? A hash is a hash, and should be independent of file size. -- Matthias Urlichs | {M:U} IT Design @ m-u-it.de | [EMAIL PROTECTED] Disclaimer: The quote was selected randomly. Really. | http://smurf.noris.de - - REAL PROGRAMMERS don't write in Pascal, Mesa, Ada or any of those other pinko computer science languages. Strong typing is for people with weak memories.
