Signing a file given its hash only

Jay Acuna mysidia at gmail.com
Mon May 19 18:08:07 CEST 2025 

On Sun, May 18, 2025 at 6:58 AM Richard Stoughton <kyrieuon at gmail.com> wrote:
> To "sign" the hash on M, it would be necessary to inject a one-time
> secret  (e.g. a OpenPGP private key

This would seem to invalidate H's purpose for existing. At that point
may as well backup the keys on H
& move its signing subkey to a USB GPG Card.  Install the card-based
keypairs on M,
and remove H from the process.

The card provides M a means to sign only at the time that physical
card is inserted,
w/the correct PIN is entered, and M never gains access to read the secret.

> creates the final signatures. This could be done in a much more
> efficient way if GnuPG would be able to create signatures with hashes
> instead of  the complete file content as input.

You can provide a list of hashes and filenames as the text to be signed by GPG.
The signing of a text message usually outputs both the content
of the message and a signature.

For the input to be signed the signer has to have access to a message.

Otherwise:  How can that signer apply their policies and scan the
content of what
they are signing in order to confirm that it adheres to the standard
of what should be signed?
If the signer is to blindly trust M, then you may as well perform the
signing from M.

The PGP format/protocol for the digital signature to be outputted also
does not provide a way to sign without the complete file content and
the ability to
concatenate that content with Other PGP subpackets added to the
message signature
before the SHA256 (or other hash) is calculated which are inserted by the
signer.

The subpackets are specific to the signer's software implementation
and version; might
contain various extensions, signer information, randomized data, timestamps
(the signature creation timestamp),
or other padding sequences which would ensure no two digital
signatures are based on
an identical hash,  even if the content of file being signed is identical.

A precomputed SHA256 hash based on the file content alone cannot be
copied into a PGP signature, since a signature presumably could not be derived
from a hash of the file directly, even with changes to the source code..
this is presumably a feature that could not be easily added.

Since other PGP hashed signature packets are likely to be contained in
the PGP signerare
which are part of the value that are to be hashed,  but are Not part
of the contents
of the file being signed.

As per RFC 4880, Page 23,  5.2.3 Version 4 Signature Packet Format
5.2.3.1.  Signature Subpacket Specification



-JA

More information about the Gnupg-users mailing list