问题
I'm working on a web app that needs to create GPG signatures for files as they're uploaded by someone on staff. However, for security, I don't want to keep the signing key on the webserver, even though it's protected by a passphrase.
One solution I was looking into was to prompt for the private key on startup of the webapp, and store it in memory. Then, pass in the text of the key when signing, instead of using a key from the keyring.
However, I've done a lot of looking around and can't find any way to do this. GPG expects the key to be in the keyring. Any suggestions, or better ideas? I'm using Python, but any command-line tools/scripts would work great as well.
(I realize I can always just generate signatures manually, on a non-public-facing machine...but I wanted to investigate this first, because if it's possible it would be much more convenient.)
回答1:
This answer on superuser might give you some ideas. It's written for encrypting with a public key, but it would be easy to adapt. The long and short: you could use gpg --homedir SOMEDIR, where SOMEDIR was a directory on a tmpfs filesystem like the traditional /dev/shm.
来源:https://stackoverflow.com/questions/12984992/in-memory-gpg-signing-or-possibly-using-a-temporary-keyring