Sign and verify data

The AO performs sign and verify operations through Google Distributed Cloud (GDC) air-gapped to the KMS through a gRPC client.

Before you begin

To get the required permissions to sign data, ask your Organization IAM Admin to grant you the KMS Developer (kms-developer) role in your project namespace.

Sign data

To sign data, use the gdcloud kms keys asymmetric-sign command. This command creates a digital signature of an input file using the Signing key, and saves the base64 encoded signature.

  • To sign your data, pass in the key name and the following:

    gdcloud kms keys asymmetric-sign \
    namespaces/NAMESPACE/signingKeys/KEY_NAME \
    --input-file=INPUT_PATH \
    --signature-file=SIGNATURE_FILE
    

    Replace the following variables:

    • NAMESPACE: the project namespace—for example: kms-test1.
    • KEY_NAME: the name of the key used to sign—for example: key-1.
    • INPUT_PATH: the path of the input file you want to have signed.
    • SIGNATURE_FILE: the path of the output file to save the base64 encoded signature.

    After running the command, you see an output file you specified in the --signature-file flag that contains the base64 encoded signature.

Verify data

After signing your data, verify the base64 digital signature using the gdcloud kms keys asymmetric-verify command. This command verifies whether or not the base64 encoded digital signature you receive after running the gdcloud kms keys asymmetric-sign command is valid.

  • To verify the signature, pass in the signature file and the following:

    gdcloud kms keys asymmetric-verify \
    namespaces/NAMESPACE/signingKeys/KEY_NAME \
      --input-file=INPUT_PATH \
      --signature-file=SIGNATURE_FILE
    

    After running the command, you see the output Verification OK if successful. If not successful, you see the failure output Verification Failure.