Stay organized with collections
Save and categorize content based on your preferences.
The AO performs sign and verify operations through Google Distributed Cloud (GDC) air-gapped
to the KMS through a gRPC client.
Before you begin
To get the required permissions to sign data, ask your Organization IAM Admin to
grant you the KMS Developer (kms-developer) role in your project namespace.
Sign data
To sign data, use the gdcloud kms keys asymmetric-sign command. This command
creates a digital signature of an input file using the Signing key, and saves
the base64 encoded signature.
To sign your data, pass in the key name and the following:
NAMESPACE: the project namespace—for example:
kms-test1.
KEY_NAME: the name of the key used to sign—for
example: key-1.
INPUT_PATH: the path of the input file you want to
have signed.
SIGNATURE_FILE: the path of the output file to save
the base64 encoded signature.
After running the command, you see an output file you specified in the
--signature-file flag that contains the base64 encoded signature.
Verify data
After signing your data, verify the base64 digital signature using
the gdcloud kms keys asymmetric-verify command. This command verifies whether
or not the base64 encoded digital signature you receive after running the
gdcloud kms keys asymmetric-sign command is valid.
To verify the signature, pass in the signature file and the following:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThe system utilizes Google Distributed Cloud (GDC) air-gapped to the KMS through a gRPC client for sign and verify operations.\u003c/p\u003e\n"],["\u003cp\u003eUsers need the KMS Developer (\u003ccode\u003ekms-developer\u003c/code\u003e) role in their project namespace to obtain the necessary permissions for signing data.\u003c/p\u003e\n"],["\u003cp\u003eData signing is performed using the \u003ccode\u003egdcloud kms keys asymmetric-sign\u003c/code\u003e command, which requires specifying the key name, input file path, and output signature file path.\u003c/p\u003e\n"],["\u003cp\u003eData verification is done using the \u003ccode\u003egdcloud kms keys asymmetric-verify\u003c/code\u003e command, confirming the validity of the base64 encoded digital signature from the signing process.\u003c/p\u003e\n"],["\u003cp\u003eThe verification process might fail if the input or signature file paths are incorrect or if the signature file is empty.\u003c/p\u003e\n"]]],[],null,["# Sign and verify data\n\nThe AO performs sign and verify operations through Google Distributed Cloud (GDC) air-gapped\nto the KMS through a gRPC client.\n\nBefore you begin\n----------------\n\nTo get the required permissions to sign data, ask your Organization IAM Admin to\ngrant you the KMS Developer (`kms-developer`) role in your project namespace.\n\nSign data\n---------\n\nTo sign data, use the `gdcloud kms keys asymmetric-sign` command. This command\ncreates a digital signature of an input file using the `Signing` key, and saves\nthe base64 encoded signature.\n\n- To sign your data, pass in the key name and the following:\n\n gdcloud kms keys asymmetric-sign \\\n namespaces/\u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e/signingKeys/\u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e \\\n --input-file=\u003cvar translate=\"no\"\u003eINPUT_PATH\u003c/var\u003e \\\n --signature-file=\u003cvar translate=\"no\"\u003eSIGNATURE_FILE\u003c/var\u003e\n\n Replace the following variables:\n - \u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e: the project namespace---for example: `kms-test1`.\n - \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e: the name of the key used to sign---for example: `key-1`.\n - \u003cvar translate=\"no\"\u003eINPUT_PATH\u003c/var\u003e: the path of the input file you want to have signed.\n - \u003cvar translate=\"no\"\u003eSIGNATURE_FILE\u003c/var\u003e: the path of the output file to save the base64 encoded signature.\n\n After running the command, you see an output file you specified in the\n `--signature-file` flag that contains the base64 encoded signature.\n\nVerify data\n-----------\n\nAfter signing your data, verify the base64 digital signature using\nthe `gdcloud kms keys asymmetric-verify` command. This command verifies whether\nor not the base64 encoded digital signature you receive after running the\n`gdcloud kms keys asymmetric-sign` command is valid.\n\n- To verify the signature, pass in the signature file and the following:\n\n gdcloud kms keys asymmetric-verify \\\n namespaces/\u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e/signingKeys/\u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e \\\n --input-file=\u003cvar translate=\"no\"\u003eINPUT_PATH\u003c/var\u003e \\\n --signature-file=\u003cvar translate=\"no\"\u003eSIGNATURE_FILE\u003c/var\u003e\n\n After running the command, you see the output `Verification OK` if\n successful. If not successful, you see the failure output\n `Verification Failure`.\n\n| **Note:** The failure output `Verification Failure` might result if the paths of the signature and input files are not correct, and if the signature file is empty."]]
