We want to evaluate a way for lightweight OpenPGP signing, that does not involve sending entire files to the signing service (as this leads to congestion). This requires a client-side executable, that creates a specific, versioned payload (e.g. JSON) consisting of required file metadata and hash to create a valid OpenPGP signature. Later, the payload is sent to the signing service, which creates a cryptographic signature over the provided data and returns a valid OpenPGP signature.