2.6.2 Signing a Hash

The client ask the agent to sign a given hash value. A default key will be chosen if no key has been set. To set a key a client first uses:

   SIGKEY <keyGrip>

This can be used multiple times to create multiple signature, the list of keys is reset with the next PKSIGN command or a RESET. The server test whether the key is a valid key to sign something and responds with okay.

   SETHASH --hash=<name>|<algo> <hexstring>

The client can use this command to tell the server about the data <hexstring> (which usually is a hash) to be signed. <algo> is the decimal encoded hash algorithm number as used by Libgcrypt. Either <algo> or –hash=<name> must be given. Valid names for <name> are:

sha1

sha256

rmd160

md5

tls-md5sha1

The actual signing is done using

   PKSIGN <options>

Options are not yet defined, but my later be used to choose among different algorithms. The agent does then some checks, asks for the passphrase and as a result the server returns the signature as an SPKI like S-expression in "D" lines:

     (sig-val
       (<algo>
         (<param_name1> <mpi>)
 	   ...
         (<param_namen> <mpi>)))

The operation is affected by the option

   OPTION use-cache-for-signing=0|1

The default of 1 uses the cache. Setting this option to 0 will lead gpg-agent to ignore the passphrase cache. Note, that there is also a global command line option for gpg-agent to globally disable the caching.

Here is an example session:

   C: SIGKEY <keyGrip>
   S: OK key available
   C: SIGKEY <keyGrip>
   S: OK key available
   C: PKSIGN
   S: # I did ask the user whether he really wants to sign
   S: # I did ask the user for the passphrase
   S: INQUIRE HASHVAL
   C: D ABCDEF012345678901234
   C: END
   S: # signature follows
   S: D (sig-val rsa (s 45435453654612121212))
   S: OK