FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux Development

 
 
LinkBack Thread Tools
 
Old 12-30-2011, 06:38 PM
Rémy Oudompheng
 
Default Remote PGP signing service (proof of concept)

Hello,

I just wrote a small proof of concept for remote PGP signing.
It is written in Go (using the weekly snapshot, not the
r60 release), and is hosted at:
https://github.com/remyoudompheng/remotepgp

Usage is quite simple:
- compile everything
- run the server on the appropriate machine, for example
./server -addr localhost:10022
(by default it binds on localhost)
- choose a remote file name
- run the client:
./client -server http://localhost:10022/hash /home/remy/packages/blah

It does the following:
- looks for the secret keyring in $HOME/.gnupg/secring.gpg
- chooses the first secret key and asks for the passphrase if needed
- sends a little chunk of bytes to the server
- the server hashes the concatenation of the file and the little chunk
and returns the hash
- the client finishes the signature process and writes blah.sig in the
current directory.

You should then be able to copy the remote file and check the signature
is valid.

For paranoid remote usage, it is possible to setup a SSH tunnel to
connect to the server.

Any comments are welcome.

--
Rémy.

(I'm not really good at license terms and associated legalese,
please tell me if copyright notices get wrong)
 
Old 12-30-2011, 06:38 PM
Rémy Oudompheng
 
Default Remote PGP signing service (proof of concept)

Hello,

I just wrote a small proof of concept for remote PGP signing.
It is written in Go (using the weekly snapshot, not the
r60 release), and is hosted at:
https://github.com/remyoudompheng/remotepgp

Usage is quite simple:
- compile everything
- run the server on the appropriate machine, for example
./server -addr localhost:10022
(by default it binds on localhost)
- choose a remote file name
- run the client:
./client -server http://localhost:10022/hash /home/remy/packages/blah

It does the following:
- looks for the secret keyring in $HOME/.gnupg/secring.gpg
- chooses the first secret key and asks for the passphrase if needed
- sends a little chunk of bytes to the server
- the server hashes the concatenation of the file and the little chunk
and returns the hash
- the client finishes the signature process and writes blah.sig in the
current directory.

You should then be able to copy the remote file and check the signature
is valid.

For paranoid remote usage, it is possible to setup a SSH tunnel to
connect to the server.

Any comments are welcome.

--
Rémy.

(I'm not really good at license terms and associated legalese,
please tell me if copyright notices get wrong)
 
Old 12-31-2011, 12:08 PM
Thomas Bächler
 
Default Remote PGP signing service (proof of concept)

Am 30.12.2011 20:38, schrieb Rémy Oudompheng:
> I just wrote a small proof of concept for remote PGP signing.
> It is written in Go (using the weekly snapshot, not the
> r60 release), and is hosted at:
> https://github.com/remyoudompheng/remotepgp
>
> Usage is quite simple:
> - compile everything
> - run the server on the appropriate machine, for example
> ./server -addr localhost:10022
> (by default it binds on localhost)
> - choose a remote file name
> - run the client:
> ./client -server http://localhost:10022/hash /home/remy/packages/blah
>
> It does the following:
> - looks for the secret keyring in $HOME/.gnupg/secring.gpg
> - chooses the first secret key and asks for the passphrase if needed
> - sends a little chunk of bytes to the server
> - the server hashes the concatenation of the file and the little chunk
> and returns the hash
> - the client finishes the signature process and writes blah.sig in the
> current directory.

I didn't try this yet, but here is an important comment: When using IP
networking for the connection, everyone on the server could access the
service. Instead, you could run a service over ssh (like sftp-server),
and open a UNIX socket with that service. Then, you can control who has
access (only the user that runs the service).

Apart from that, I like it
 
Old 01-03-2012, 05:16 PM
Dan McGee
 
Default Remote PGP signing service (proof of concept)

On Sat, Dec 31, 2011 at 7:08 AM, Thomas Bächler <thomas@archlinux.org> wrote:
> Am 30.12.2011 20:38, schrieb Rémy Oudompheng:
>> I just wrote a small proof of concept for remote PGP signing.
>> It is written in Go (using the weekly snapshot, not the
>> r60 release), and is hosted at:
>> * *https://github.com/remyoudompheng/remotepgp
>>
>> Usage is quite simple:
>> - compile everything
>> - run the server on the appropriate machine, for example
>> * * *./server -addr localhost:10022
>> * (by default it binds on localhost)
>> - choose a remote file name
>> - run the client:
>> * * *./client -server http://localhost:10022/hash */home/remy/packages/blah
>>
>> It does the following:
>> - looks for the secret keyring in $HOME/.gnupg/secring.gpg
>> - chooses the first secret key and asks for the passphrase if needed
>> - sends a little chunk of bytes to the server
>> - the server hashes the concatenation of the file and the little chunk
>> * and returns the hash
>> - the client finishes the signature process and writes blah.sig in the
>> * current directory.
>
> I didn't try this yet, but here is an important comment: When using IP
> networking for the connection, everyone on the server could access the
> service. Instead, you could run a service over ssh (like sftp-server),
> and open a UNIX socket with that service. Then, you can control who has
> access (only the user that runs the service).
>
> Apart from that, I like it

This is really cool. I'll definitely be taking a closer look at this
when I have time.

It does seem a bit ridiculous there are no simple signature-only
programs out there. This is the closest thing I found:
http://www.cypherspace.org/openpgp/pgpdsa/

I agree with Thomas on perhaps thinking about a socket-based protocol
for security purposes; the same binary could even be used client and
server side; something like
$ remotesign dmcgee@hostname:/path/to/my/file
would interpret the URL ala scp, and call something like
$ remotesign --genhash /path/to/my/file
on the remote host, taking on stdin the suffix bytes or whatever magic
it is that is needed to be incorporated to the hash, and writing the
result back on stdout.

Of course this is me spitting ideas; you actually put up the code so
you're about 100x more awesome right now.

-Dan
 

Thread Tools




All times are GMT. The time now is 07:35 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org