Signing raw binary data


#1

Is it at all possible to send binary data to a Nitrokey Start and get the binary of the resulting signature back?
Does the key performs any action on the input binary, like hash function, prior to signing that data?

Unfortunately, GnuPG doesn’t allow such function since it adds a trailer to the input data and hashes it again altogether before creating a signature, so I’m looking for an alternative interface to communicate with the key and which would allow such behavior.


#2

OpenPGP card specification confirms that card should not perform any action on messages prior to signing. I will therefore dig further and try to communicate directly with the card using OpenSC


#3

If the specification does not allow it, then OpenSC won’t help either, I guess.


#4

RFC4880bis does indeed confirm that input binary will be hashed, added a trailer to and hashed again all together.
Nevertheless, OpenPGP card specification confirms at page 85 that the digest is forwarded to the card for signature. In other word, the card doesn’t hash or salt input data which simply has to match a specific format as outline at page 53. There is a few restriction thought but nothing that should prevent me to sign hashed binary data without the PGP trailer.