Next: Agent GENKEY, Previous: Agent PKDECRYPT, Up: Agent Protocol [Contents][Index]
The client asks the agent to sign a given hash value. A default key will be chosen if no key has been set. To set a key a client first uses:
SIGKEY <keyGrip>
This can be used multiple times to create multiple signature, the list of keys is reset with the next PKSIGN command or a RESET. The server tests whether the key is a valid key to sign something and responds with okay.
SETHASH --hash=<name>|<algo> <hexstring>
The client can use this command to tell the server about the data <hexstring> (which usually is a hash) to be signed. <algo> is the decimal encoded hash algorithm number as used by Libgcrypt. Either <algo> or –hash=<name> must be given. Valid names for <name> are:
sha1The SHA-1 hash algorithm
sha256The SHA-256 hash algorithm
rmd160The RIPE-MD160 hash algorithm
md5The old and broken MD5 hash algorithm
tls-md5sha1A combined hash algorithm as used by the TLS protocol.
The actual signing is done using
PKSIGN <options>
Options are not yet defined, but may later be used to choose among different algorithms. The agent does then some checks, asks for the passphrase and as a result the server returns the signature as an SPKI like S-expression in "D" lines:
(sig-val (<algo> (<param_name1> <mpi>) ... (<param_namen> <mpi>)))
The operation is affected by the option
OPTION use-cache-for-signing=0|1
The default of 1 uses the cache. Setting this option to 0
will lead gpg-agent to ignore the passphrase cache. Note, that there is
also a global command line option for gpg-agent to globally disable the
caching.
Here is an example session:
C: SIGKEY <keyGrip> S: OK key available C: SIGKEY <keyGrip> S: OK key available C: PKSIGN S: # I did ask the user whether he really wants to sign S: # I did ask the user for the passphrase S: INQUIRE HASHVAL C: D ABCDEF012345678901234 C: END S: # signature follows S: D (sig-val rsa (s 45435453654612121212)) S: OK
Next: Agent GENKEY, Previous: Agent PKDECRYPT, Up: Agent Protocol [Contents][Index]