-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Seperate digest code and hardcode hash algorithm back in Signature packet when use pgp for sign? #225
Comments
What benefit do you expect from that? Is hashing an actual performance bottleneck? |
@dignifiedquire if we could hashing the object at the client side , there would be no need to transfer the whole object to server which is our case specifically. |
OpenPGP signature hashes consist not only of the hashed payload of the signed data. The hash digests also include PGP framing data. See https://www.rfc-editor.org/rfc/rfc4880#section-5.2.3:
This means you can't calculate a regular hash (like sha256) of a file on a client, and send that hash to a "PGP signing service" to receive an OpenPGP signature. There are two possible designs you could consider:
See https://openpgp.dev/book/signatures.html#creating-an-openpgp-signature-packet for a schematic outline of how OpenPGP signature packets work, and how the hash digest they contain is calculated. |
Background:
We use pgp for remote sign of binaries(all of the sign operation will be performed at server side)
Now when using pgp crate for binary sign, the functional code would be like:
My question is could I seperate the hash logic out of sign function and hardcode the real hash algorithm back into Signature packet? the whole process would be like:
The text was updated successfully, but these errors were encountered: