Open TommyLike opened 1 year ago
What benefit do you expect from that? Is hashing an actual performance bottleneck?
@dignifiedquire if we could hashing the object at the client side , there would be no need to transfer the whole object to server which is our case specifically.
OpenPGP signature hashes consist not only of the hashed payload of the signed data. The hash digests also include PGP framing data. See https://www.rfc-editor.org/rfc/rfc4880#section-5.2.3:
"The concatenation of the data being signed and the signature data from the version number through the hashed subpacket data (inclusive) is hashed. The resulting hash value is what is signed."
This means you can't calculate a regular hash (like sha256) of a file on a client, and send that hash to a "PGP signing service" to receive an OpenPGP signature. There are two possible designs you could consider:
See https://openpgp.dev/book/signatures.html#creating-an-openpgp-signature-packet for a schematic outline of how OpenPGP signature packets work, and how the hash digest they contain is calculated.
Background: We use pgp for remote sign of binaries(all of the sign operation will be performed at server side)
Now when using pgp crate for binary sign, the functional code would be like:
My question is could I seperate the hash logic out of sign function and hardcode the real hash algorithm back into Signature packet? the whole process would be like: