Sign and verify data

The AO performs sign and verify operations through Google Distributed Cloud (GDC) air-gapped to the KMS through a gRPC client.

Before you begin

Before performing KMS operations, configure kubectl to access the Management API server and get the necessary permissions.

Configure Management API server access

Configure kubectl to access the Management API server:

  1. If you have not already done so, get a kubeconfig file for the Management API server using the gdcloud CLI-line interface (CLI).

  2. Set the MANAGEMENT_API_SERVER environment variable:

    export MANAGEMENT_API_SERVER=PATH_TO_KUBECONFIG

    Replace PATH_TO_KUBECONFIG with the path of the generated kubeconfig file.

  3. If you have not already done so, download, install, and configure the gdcloud CLI. To do this, follow the gdcloud CLI overview.

Required permissions

To get the permissions you need, ask your Organization IAM Admin to grant you the KMS Developer (kms-developer) role in your project.

Sign data

To sign data, use the gdcloud kms keys asymmetric-sign command. This command creates a digital signature of an input file using the Signing key, and saves the base64 encoded signature.

  • To sign your data, pass in the key name and the following:

    gdcloud kms keys asymmetric-sign \
namespaces/NAMESPACE/signingKeys/KEY_NAME \
--input-file=INPUT_PATH \
--signature-file=SIGNATURE_FILE

    Replace the following variables:

    • NAMESPACE: the project namespace—for example: kms-test1.
    • KEY_NAME: the name of the key used to sign—for example: key-1.
    • INPUT_PATH: the path of the input file you want to have signed.
    • SIGNATURE_FILE: the path of the output file to save the base64 encoded signature.

    After running the command, you see an output file you specified in the --signature-file flag that contains the base64 encoded signature.

Verify data

After signing your data, verify the base64 digital signature using the gdcloud kms keys asymmetric-verify command. This command verifies whether or not the base64 encoded digital signature you receive after running the gdcloud kms keys asymmetric-sign command is valid.

  • To verify the signature, pass in the signature file and the following:

    gdcloud kms keys asymmetric-verify \
namespaces/NAMESPACE/signingKeys/KEY_NAME \
  --input-file=INPUT_PATH \
  --signature-file=SIGNATURE_FILE

    After running the command, you see the output Verification OK if successful. If not successful, you see the failure output Verification Failure.