On Mon, Jun 13, 2011 at 10:08 AM, Dan McGee <[email protected]> wrote: > Not to bust your enthusiasm, but I had researched all of this and more > before writing my original email. It even included the final > suggestion of signing the hash of the file because the two things > can't be separated (and won't be done anytime soon by the upstream > devs). I looked at the agent as the best possibility for this very > reason. > > I also want to make clear as it seems you have taken Denis' word as > the gospel here when he mentioned signing package databases. Not a > word of what I wrote when starting this thread implied databases, so I > apologize for that if it did. Those are no issue at all- they are > small enough that we could easily work out a solution similar to what > Denis proposed, so we need no remote singing capability at all with > those. The only thing I was looking for in this thread was a solution > for packages that are too unweildy to schlep back and forth for the > sole reason of signing; things like game data, Sage Mathematics > packages, OpenOffice, etc. if they were built on a remote machine. > > It's also nice to link to the full thread if you're going to > cross-post one snippet: > http://lists.gnupg.org/pipermail/gnupg-users/2011-June/042068.html
OK, sorry. I just made a guess as to what you were talking about, since you never transcribed the original conversation or made clear what you were referring to. Anyway, I second Denis's suggestion of always signing the hash rather than the original file. Like I mentioned, any scheme where the signing is done on the server means that keys will get compromised if the main server gets hacked. -Kerrick Staley
