内存中GPG签名(或可能使用临时密钥环) [英] In-memory GPG signing (or possibly using a temporary keyring)

问题描述

我正在开发一个Web应用程序，该应用程序需要为员工在工作人员上传的文件上创建GPG签名.但是，为了安全起见，即使密钥受到密码保护，我也不想将签名密钥保留在Web服务器上.

I'm working on a web app that needs to create GPG signatures for files as they're uploaded by someone on staff. However, for security, I don't want to keep the signing key on the webserver, even though it's protected by a passphrase.

我正在研究的一种解决方案是在启动Webapp时提示输入私钥，并将其存储在内存中.然后，在签名时传递密钥文本，而不要使用密钥环中的密钥.

One solution I was looking into was to prompt for the private key on startup of the webapp, and store it in memory. Then, pass in the text of the key when signing, instead of using a key from the keyring.

但是，我已经四处张望，找不到任何方法. GPG希望密钥在密钥环中.有什么建议或更好的主意吗?我使用的是Python，但是任何命令行工具/脚本也都可以很好地工作.

However, I've done a lot of looking around and can't find any way to do this. GPG expects the key to be in the keyring. Any suggestions, or better ideas? I'm using Python, but any command-line tools/scripts would work great as well.

(我意识到我总是可以始终在非面向公众的计算机上手动生成签名...但是我想先对此进行研究，因为如果可能的话，它将更加方便.)

(I realize I can always just generate signatures manually, on a non-public-facing machine...but I wanted to investigate this first, because if it's possible it would be much more convenient.)

推荐答案

有关超级用户的答案可能会给您一些想法.它是为使用公钥加密而编写的，但是很容易适应.总而言之:您可以使用gpg --homedir SOMEDIR，其中SOMEDIR是tmpfs文件系统上的目录，例如传统的/dev/shm.

This answer on superuser might give you some ideas. It's written for encrypting with a public key, but it would be easy to adapt. The long and short: you could use gpg --homedir SOMEDIR, where SOMEDIR was a directory on a tmpfs filesystem like the traditional /dev/shm.

这篇关于内存中GPG签名(或可能使用临时密钥环)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！