Signing a file given its hash only

Jay Acuna mysidia at gmail.com
Wed May 21 17:09:21 CEST 2025 

On Wed, May 21, 2025 at 9:00 AM Jakob Bohm via Gnupg-users
<gnupg-users at gnupg.org> wrote:

> Please stop suggesting less secure solutions to those who have already set
> up high security compartmentalized systems.  It makes you look malicious .

These are not less secure solutions.  It is not a fact that a
"compartmentalized"
system is secure.

There are well-established standards for what counts as a secure cryptographic
hardware module.  In the scenario described this server "H" does not
qualify as a
secure module. The recommendation is to use qualified secure
cryptographic modules with any necessary physical security controls and
offline signing workstations.

The existence of H does not improve the signing process, since it can't actually
review what it is signing.  Since H behaves as if M is an implicitly
trusted agent, and
automatically signs what M presents to be signed without being able to
verify anything: H and M do not act with any independent or separable
agency during
the signing process.

It seems that H's existence is useless from a security
standpoint and only weakens security.

H becomes an overall liability in terms of the security of the
signing:  simply due
to the added complexity and the creation of
additional unnecessary process, communications, and system which is subject to
possible compromise,  and since M wants to present a hash to H for an
unsigned messages: there is no means for H to confirm the hash has not been
altered from the hash or signing context that M believes it is sending to H.


> Obviously, such calculations are apparently not in the currently
> shipping GPG code, but could be written by companies that need it

Companies can do as they like,  but breaking up the signing internally
like this is not part of the PGP standard and seems to amount to
rolling your own crypto;
which introduces probable vulnerabilities.

You'd actually be better off just having both H and M sign the message,
and require the verification process to ensure that both H and M
signatures are good.


And  why wouldn't they just write wrapper scripts for GPG or PGP signing and
verification at that point?   To create signed text file for the hash
for signing,

  #!/bin/sh
  # ./sign.sh <file list>
  for i in $@ ; do
     sha256sum -- $i | gpg --clearsign username  >>  $i.signedhash
  done

  #!/bin/sh
  # ./verify.sh <file list>
  fail() {
       echo $@
       exit 1
   }
  for i in $@ ; do
     gpg -d -- ${i}.signedhash  | sha256sum -c  || fail "Failed to verify"
  done



> Jakob
--
-JA

More information about the Gnupg-users mailing list