The AO performs sign and verify operations through Google Distributed Cloud (GDC) air-gapped to the KMS through a gRPC client.
Before you begin
To get the required permissions to sign data, ask your Organization IAM Admin to
grant you the KMS Developer (kms-developer) role in your project namespace.
Sign data
To sign data, use the gdcloud kms keys asymmetric-sign command. This command
creates a digital signature of an input file using the Signing key, and saves
the base64 encoded signature.
To sign your data, pass in the key name and the following:
gdcloud kms keys asymmetric-sign \ namespaces/NAMESPACE/signingKeys/KEY_NAME \ --input-file=INPUT_PATH \ --signature-file=SIGNATURE_FILEReplace the following variables:
- NAMESPACE: the project namespace—for example:
kms-test1. - KEY_NAME: the name of the key used to sign—for
example:
key-1. - INPUT_PATH: the path of the input file you want to have signed.
- SIGNATURE_FILE: the path of the output file to save the base64 encoded signature.
After running the command, you see an output file you specified in the
--signature-fileflag that contains the base64 encoded signature.- NAMESPACE: the project namespace—for example:
Verify data
After signing your data, verify the base64 digital signature using
the gdcloud kms keys asymmetric-verify command. This command verifies whether
or not the base64 encoded digital signature you receive after running the
gdcloud kms keys asymmetric-sign command is valid.
To verify the signature, pass in the signature file and the following:
gdcloud kms keys asymmetric-verify \ namespaces/NAMESPACE/signingKeys/KEY_NAME \ --input-file=INPUT_PATH \ --signature-file=SIGNATURE_FILEAfter running the command, you see the output
Verification OKif successful. If not successful, you see the failure outputVerification Failure.