The server needs to implement opaque signing as well as detached signing. Due to the nature of OpenPGP messages it is always required to send the entire message to the server; sending just the hash is not possible. The following two commands are required to set the input and output file descriptors:
Set the file descriptor for the message to be signed to n. The message send to the server is binary encoded. For details on the file descriptor, see the description of
INPUTin theENCRYPTsection.
Set the file descriptor to be used for the output. The output is either the complete signed message or in case of a detached signature just that detached signature. For OpenPGP, the output needs to be ASCII armored; for CMS, the output needs to be Base-64 encoded. For details on the file descriptor, see the
INPUTcommand.
To allow the server the selection of a non-default signing key the
client may optionally use the SENDER command, see command SENDER.
The signing operation is then initiated by:
Sign the data set with the
INPUTcommand and write it to the sink set by OUTPUT. name is the signing protocol used for the message. For a description of the allowed protocols see theENCRYPTcommand. With option--detachedgiven, a detached signature is created; this is actually the usual way the command is used.
The client expects the server to send at least this status information before the final OK response:
The string represents the hash algorithm used to create the signature. It is used with MOSS style signature messages and defined by PGP/MIME (RFC-3156) and S/MIME (RFC-3851). The GPGME library has a supporting function
gpgme_hash_algo_nameto return the algorithm name as a string. This string needs to be lowercased and for OpenPGP prefixed with "pgp-".