Signing a file given its hash only

[Jakob Bohm]

On 5/19/2025 18:08:07, Jay Acuna via Gnupg-users wrote:
> On Sun, May 18, 2025 at 6:58 AM Richard Stoughton <kyrieuon at gmail.com> wrote:
>> To "sign" the hash on M, it would be necessary to inject a one-time
>> secret  (e.g. a OpenPGP private key
> This would seem to invalidate H's purpose for existing. At that point
> may as well backup the keys on H
> & move its signing subkey to a USB GPG Card.  Install the card-based
> keypairs on M,
> and remove H from the process.
>
> The card provides M a means to sign only at the time that physical
> card is inserted,
> w/the correct PIN is entered, and M never gains access to read the secret.
>
>> creates the final signatures. This could be done in a much more
>> efficient way if GnuPG would be able to create signatures with hashes
>> instead of  the complete file content as input.
> You can provide a list of hashes and filenames as the text to be signed by GPG.
> The signing of a text message usually outputs both the content
> of the message and a signature.
>
> For the input to be signed the signer has to have access to a message.
>
> Otherwise:  How can that signer apply their policies and scan the
> content of what
> they are signing in order to confirm that it adheres to the standard
> of what should be signed?
> If the signer is to blindly trust M, then you may as well perform the
> signing from M.
>
> The PGP format/protocol for the digital signature to be outputted also
> does not provide a way to sign without the complete file content and
> the ability to
> concatenate that content with Other PGP subpackets added to the
> message signature
> before the SHA256 (or other hash) is calculated which are inserted by the
> signer.
>
> The subpackets are specific to the signer's software implementation
> and version; might
> contain various extensions, signer information, randomized data, timestamps
> (the signature creation timestamp),
> or other padding sequences which would ensure no two digital
> signatures are based on
> an identical hash,  even if the content of file being signed is identical.
>
> A precomputed SHA256 hash based on the file content alone cannot be
> copied into a PGP signature, since a signature presumably could not be derived
> from a hash of the file directly, even with changes to the source code..
> this is presumably a feature that could not be easily added.
>
> Since other PGP hashed signature packets are likely to be contained in
> the PGP signerare
> which are part of the value that are to be hashed,  but are Not part
> of the contents
> of the file being signed.
>
> As per RFC 4880, Page 23,  5.2.3 Version 4 Signature Packet Format
> 5.2.3.1.  Signature Subpacket Specification
>
Please stop suggesting less secure solutions to those who have already set
up high security compartmentalized systems.  It makes you look malicious .

 From what you claim, it seems the data to be hashed does NOT include the
private key for the signature that would be made by the high security
compartmentalized server, just some metadata about the public key etc.

Maybe multiple signatures will have to be passed from signer to signer
as each adds their signature to the end of the set.  Depending on what
the PGP standards say, this may or may not require passing along an
intermediary hash state (hash computation block and last partial hash
input block) to allow each additional signer to compute a hash from
start of message to fields added by that signer.

Obviously, such calculations are apparently not in the currently
shipping GPG code, but could be written by companies that need it
locally (using the GPL interpretation that keeping the binaries
private allows keeping the source code equally private).


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded