Re: Remote signing?

2006-02-21 Thread Thomas Kühne 
The attachment contains the preliminary final BETA version for remote
signatures.

Patch and recompile gpg-1.4-* to get 2 new commands:

1) gpg --print-seed SHA1 ./dir/to_be_signed_file
Creates a signature seed. Can be combined with "--text".

2) gpg --sign-seed THE_SEED
Use the signature seed to create a signature. The to be signed file
isn't required, only the seed and an a signing key are.

After patching, the file doc/DETAILS contains some information about the
seed format.


Thomas



gnupg-1.4.2-md-seed-6.diff.gz
Description: application/gzip


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remote signing?

2006-02-20 Thread Thomas Kühne 
Matthias Urlichs wrote:
> Hello,
>
> I need to sign files remotely. They're moderately large, so
> transmitting them back to my firewalled-off laptop (I'm usually
> behind a slow line), where the secret key lives, isn't a good idea.
>
> Ideas?

see attachment for an ALPHA version (working but unsafe code)

Thomas




gnupg-1.4.2-md-seed-3.diff.gz
Description: application/gzip


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remote signing?

2006-02-20 Thread Thomas Kühne 
Matthias Urlichs wrote:
> Hello,
>
> I need to sign files remotely. They're moderately large, so
> transmitting them back to my firewalled-off laptop (I'm usually
> behind a slow line), where the secret key lives, isn't a good idea.
>
> Ideas?

I'currenty working on a patch for gnupg that enables remote signatures.

see attachment for an ALPHA version (working but unsafe code)

Thomas

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
NotDashEscaped: You need GnuPG to verify this message


Remote Signatures for GnuPG

WARNING: DON'T USE THE PATCH ON PRODUCTION SYSTEMS
(lot's of ugly, unsafe code and missing guardians)

Apply the patch to the gnupg-1.4.2 sources and follow the usual instructions to 
build gnupg

--print-seed algo file
==

algo: MD5 SHA1 RIPEMD160 (SHA256 SHA384 SHA512)
file: the file file that should be signed

sample: gpg --print-seed SHA1 ./NEWS
> algo=SHA1&sig_type=0&block=1119&state=%DE%7C%02Qtt%E1Y%98%C5%BA%12e
> %3F%9Erl%BB%ED%F6&length=432&buffer=%20MERCHANTABILITY%20or%20FITNE
> SS%20FOR%20A%20PARTICULAR%20PURPOSE%2E%0A

--sign-seed seed


seed: a seed generated by --print-seed

sample: gpg  --sign-seed algo=SHA1&sig_[...]2E%0A
> -BEGIN PGP SIGNATURE-
> 
> iQIVAwUAQ/jWkjOg8GEoPYU1AQI6kBAAsPYDJfIbSjMyovbWqNNiF2ueD6y9K66o
> By0BDlwt4A5VpmZU5wWcqnIAcKcc6OcAwrt+BDyjdnDHF/0MB8li64x3/LIrV4Vd
> V0VsAFV8SBnBmG0KVFNHyHhr/KI4mSTF7RyH5K+Xhw5B0jauKcH1JZEONPziWzOn
> yIVHCEuEKR7SImE3b+pIwdK1V89NAqEtnMvsN9fGosXTDraCZVAf702XbkANown+
> nw8uGxd8FpQYB0tmA6KOBYlj0XnaL1p5iFP6JnHS2wNJxGtZJEWl3kywsJ0dj4wg
> nmN5okMHvkJ/NjYXyk2w5RAtbM2kSL+bfyLk4oV4s4q/jfRjTL4y/qrmBu5R9+Sf
> CAWdhph1WM1Z1Vnujgo9tsBKR80yL/1r0C+kDylsGbUYBQ23DLdYTQILIKovSjab
> xePA1Q11PHPPQvwtwxMdDU+1LNHu/lcjzxkKoR3Xcq6+jdTZxrvXMAm2vmXFXtcO
> ECr2o9ckBFAqHjeQggdsAXTG5d2ZPzcpP42UECRMD3Eg0JCLbxq5yxTCTe5MRRaj
> xyuq7xnlXo3LErmZGrPdm9w4xMcHvVFXuHNRt7/FWyGUxrrpy0kFnyHerIKKw/bn
> 4oZQI2EVO8MqFb9QMCON5QsjAiQsYyC3e39g1IpE3/d3vXijaidRSy+vPRMhSiVQ
> WiUe2+IQqpY=
> =1MFy
> -END PGP SIGNATURE-


License: GPL
Copyright: 2006 Thomas Kuehne <[EMAIL PROTECTED]> 

Thomas


diff -urBbN gnupg-1.4.2/cipher/algorithms.h 
gnupg-1.4.2-md-seed-1/cipher/algorithms.h
--- gnupg-1.4.2/cipher/algorithms.h 2005-05-31 08:29:54.0 +0200
+++ gnupg-1.4.2-md-seed-1/cipher/algorithms.h   2006-02-18 18:56:37.0 
+0100
@@ -21,6 +21,10 @@
 #ifndef GNUPG_ALGORITHMS_H
 #define GNUPG_ALGORITHMS_H 1
 
+#ifdef ENABLE_MD_SEED
+#include "md_seed.h"
+#endif
+
 const char *dynload_enum_module_names (int seq);
 
 const char *
@@ -30,6 +34,10 @@
   void (**r_write)( void *c, byte *buf, size_t nbytes ),
   void (**r_final)( void *c ),
   byte *(**r_read)( void *c )
+#ifdef ENABLE_MD_SEED
+  , void (**r_read_seed)( void *c, MD_SEED seed),
+  void (**r_write_seed)( void *c, MD_SEED seed)
+#endif
   );
 
 
@@ -40,6 +48,10 @@
  void (**r_write)( void *c, byte *buf, size_t nbytes ),
  void (**r_final)( void *c ),
  byte *(**r_read)( void *c )
+#ifdef ENABLE_MD_SEED
+  , void (**r_read_seed)( void *c, MD_SEED seed),
+  void (**r_write_seed)( void *c, MD_SEED seed)
+#endif
  );
 
 const char *
@@ -49,6 +61,10 @@
   void (**r_write)( void *c, byte *buf, size_t nbytes ),
   void (**r_final)( void *c ),
   byte *(**r_read)( void *c )
+#ifdef ENABLE_MD_SEED
+  , void (**r_read_seed)( void *c, MD_SEED seed),
+  void (**r_write_seed)( void *c, MD_SEED seed)
+#endif
);
 
 const char *
@@ -58,6 +74,10 @@
 void (**r_write)( void *c, byte *buf, size_t nbytes ),
 void (**r_final)( void *c ),
 byte *(**r_read)( void *c )
+#ifdef ENABLE_MD_SEED
+  , void (**r_read_seed)( void *c, MD_SEED seed),
+  void (**r_write_seed)( void *c, MD_SEED seed)
+#endif
 );
 
 const char *
@@ -67,6 +87,10 @@
 void (**r_write)( void *c, byte *buf, size_t nbytes ),
 void (**r_final)( void *c ),
 byte *(**r_read)( void *c )
+#ifdef ENABLE_MD_SEED
+  , void (**r_read_seed)( void *c, MD_SEED seed),
+  void (**r_write_seed)( void *c, MD_SEED seed)
+#endif
 );
 
 const char *
@@ -76,6 +100,10 @@
 void (**r_write)( void *c, byte *buf, size_t nbytes ),
 void (**r_final)( void *c ),
 byte *(**r_read)( void *c )
+#ifdef ENABLE_MD_SEED
+  , void (**r_read_seed)( void *c, MD_SEED seed),
+  void (**r_write_seed)( void *c, MD_SEED seed)
+#endif
 );
 
 const char *
diff -urBbN gnupg-1.4.2/cipher/md.c gnupg-1.4.2-md-seed-1/cipher/md.c
--- gnupg-1.4.2/cipher/md.c 2005-05-31 08:29:54.0 +0200
+++ gnupg-1.4.2-md-seed-1/cipher/md.c   2006-02-19 17:57:54.0 +0100
@@ -31,6 +31,10

Re: Remote signing?

2006-02-20 Thread Matthias Urlichs 
Hello,

I wrote:
> I need to sign files remotely. They're moderately large, so transmitting
> them back to my firewalled-off laptop (I'm usually behind a slow line),
> where the secret key lives, isn't a good idea.
> 
> Ideas?

What happens if you have a smartcard, anyway -- doesn't the gpg agent
tunnel these requests?

Using standard gpg as the back end shouldn't be too much of a
stretch then..?


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remote signing?

2006-02-19 Thread Bjoern Buerger 
Matthias Urlichs wrote:
> I need to sign files remotely. They're moderately large
> Ideas?

Use md5sum|sha1sum|[...] and sign the resulting file.

Ciao, Bjørn







___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remote signing?

2006-02-19 Thread David Shaw 
On Sun, Feb 19, 2006 at 06:07:56AM +0100, Matthias Urlichs wrote:
> Hello,
> 
> I need to sign files remotely. They're moderately large, so transmitting
> them back to my firewalled-off laptop (I'm usually behind a slow line),
> where the secret key lives, isn't a good idea.

You have two good options.  Which is the best option depends on your
exact circumstances.

The first option is to hash the files remotely, with something like:

  gpg --print-md sha256 (thefile)

and then make a text file of hashes on your local laptop and sign that
text file.  This option presumes that the link between the remote
machine and your local machine is secure so that someone replacing the
hash between the remote and local machine is not a risk.

The other option is to make a new key (or new subkey) that can live on
the remote machine.  This key would be signed with your main key so
there is a chain of trust.  The disadvantage here is that if the
remote machine (and thus the key living there) is compromised, the
attacker may issue signatures using that key.  You can revoke the key,
of course, but this assumes that the recipients can get the
revocation.

David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remote signing?

2006-02-19 Thread Janusz A. Urbanowicz 
On Sun, Feb 19, 2006 at 06:07:56AM +0100, Matthias Urlichs wrote:
> Hello,
> 
> I need to sign files remotely. They're moderately large, so transmitting
> them back to my firewalled-off laptop (I'm usually behind a slow line),
> where the secret key lives, isn't a good idea.

create (and rotate frequently) a signing subkey and export it where the
files live & sign there

a

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remote signing?

2006-02-19 Thread Roscoe 
Seeing as a detached sig is just a signed hash, you could hash the
file remotely then copy the hash over and construct a detached sig
from that. I imagine no current app supports that kind of thing(??) so
that might involve X amount of pissing about coding your own solution.

Many folk just run sha1sum and sign the output of that.
It's requires a extra command to be run to verify but nothing major.

On 2/19/06, Matthias Urlichs <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I need to sign files remotely. They're moderately large, so transmitting
> them back to my firewalled-off laptop (I'm usually behind a slow line),
> where the secret key lives, isn't a good idea.
>
> Ideas?
>
> --
> Matthias Urlichs
>
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Remote signing?

2006-02-19 Thread Matthias Urlichs 
Hello,

I need to sign files remotely. They're moderately large, so transmitting
them back to my firewalled-off laptop (I'm usually behind a slow line),
where the secret key lives, isn't a good idea.

Ideas?

-- 
Matthias Urlichs



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users