The AO performs sign and verify operations through Google Distributed Cloud (GDC) air-gapped to the KMS through a gRPC client.
Before you begin
To get the required permissions to sign data, ask your Organization IAM Admin to
grant you the KMS Developer (kms-developer
) role in your project namespace.
Sign data
To sign data, use the gdcloud kms keys asymmetric-sign
command. This command
creates a digital signature of an input file using the Signing
key, and saves
the base64 encoded signature.
To sign your data, pass in the key name and the following:
gdcloud kms keys asymmetric-sign \ namespaces/NAMESPACE/signingKeys/KEY_NAME \ --input-file=INPUT_PATH \ --signature-file=SIGNATURE_FILE
Replace the following variables:
- NAMESPACE: the project namespacefor example:
kms-test1
. - KEY_NAME: the name of the key used to signfor
example:
key-1
. - INPUT_PATH: the path of the input file you want to have signed.
- SIGNATURE_FILE: the path of the output file to save the base64 encoded signature.
After running the command, you see an output file you specified in the
--signature-file
flag that contains the base64 encoded signature.- NAMESPACE: the project namespacefor example:
Verify data
After signing your data, verify the base64 digital signature using
the gdcloud kms keys asymmetric-verify
command. This command verifies whether
or not the base64 encoded digital signature you receive after running the
gdcloud kms keys asymmetric-sign
command is valid.
To verify the signature, pass in the signature file and the following:
gdcloud kms keys asymmetric-verify \ namespaces/NAMESPACE/signingKeys/KEY_NAME \ --input-file=INPUT_PATH \ --signature-file=SIGNATURE_FILE
After running the command, you see the output
Verification OK
if successful. If not successful, you see the failure outputVerification Failure
.