---

A.2 UI Server: Sign a Message

The server needs to implement opaque signing as well as detached signing. Due to the nature of OpenPGP messages it is always required to send the entire message to the server; sending just the hash is not possible. The following two commands are required to set the input and output file descriptors:

Command: INPUT FD=n ¶

Set the file descriptor for the message to be signed to n. The message send to the server is binary encoded. For details on the file descriptor, see the description of INPUT in the ENCRYPT section.

Command: OUTPUT FD=n [--binary] ¶

Set the file descriptor to be used for the output. The output is either the complete signed message or in case of a detached signature just that detached signature. If the option --binary is given the output shall be in binary format; if not given, the output for OpenPGP needs to be ASCII armored and for CMS Base-64 encoded. For details on the file descriptor, see the INPUT command.

To allow the server the selection of a non-default signing key the client may optionally use the SENDER command, see command SENDER.

The signing operation is then initiated by:

Command: SIGN --protocol=name [--detached] ¶

Sign the data set with the INPUT command and write it to the sink set by OUTPUT. name is the signing protocol used for the message. For a description of the allowed protocols see the ENCRYPT command. With option --detached given, a detached signature is created; this is actually the usual way the command is used.

The client expects the server to send at least this status information before the final OK response:

Status line: MICALG string ¶

The string represents the hash algorithm used to create the signature. It is used with RFC-1847 style signature messages and defined by PGP/MIME (RFC-3156) and S/MIME (RFC-3851). The GPGME library has a supporting function gpgme_hash_algo_name to return the algorithm name as a string. This string needs to be lowercased and for OpenPGP prefixed with "pgp-".