README

PGP Signing
===========

.. sectnum::
.. contents:: Table of Contents

This signer implements the Pretty Good Privacy signature format. It accepts data
on the `/sign/data` interface and returns armored detached signatures.

Example:

.. code:: bash

    # request a signature using the autograph client
    $ go run client.go -d $(base64 /tmp/pgpinput.txt) -k randompgp \
      -o /tmp/testsig.pgp -ko /tmp/testkey.asc

    # import the public key returned by autograph into a temp keyring
    $ gpg --no-default-keyring --keyring /tmp/testkeyring.pgp \
      --secret-keyring /tmp/testsecring.gpg --import /tmp/testkey.asc

    # verify the signature using the temp keyring
    $ gpg --no-default-keyring --keyring /tmp/testkeyring.pgp \
      --secret-keyring /tmp/testsecring.gpg \
      --verify /tmp/testsig.pgp /tmp/pgpinput.txt

Configuration
-------------

Place a PGP Private Key in `autograph.yaml`:

.. code:: yaml

    signers:
    - id: some-pgp-key
      type: pgp
      privatekey: |
        -----BEGIN PGP PRIVATE KEY BLOCK-----

        lQOYBFuW9xABCACzCLYHwgGba7hi+lwhD/Hr5qqpg+UuN+88NclYgLWyl1nPpx2D
        ...
        HQASoA7mirON
        =vJUu
        -----END PGP PRIVATE KEY BLOCK-----

Signature request
-----------------

This signer only supports the `/sign/data/` endpoint.

.. code:: json

    [
        {
            "input": "Y2FyaWJvdW1hdXJpY2UK",
            "keyid": "some-pgp-key"
        }
    ]

Signature response
------------------

The response to a data signing request contains a PGP armored detached
signature in its raw form with newlines preserved but wrapped on a single line
due to JSON marshalling. You can write it out to a file to recover the standard
armored signature that gnupg expects.

.. code:: json

    [
      {
        "ref": "7khgpu4gcfdv30w8joqxjy1cc",
        "type": "pgp",
        "signer_id": "some-pgp-key",
        "public_key":"-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nxsBNBFuW9xABCACzCLYHwg...",
        "signature":"-----BEGIN PGP SIGNATURE-----\n\nwsBcBAABCAAQBQJbt3KqCRDdCl2Z...."
      }
    ]

Documentation

Index

Constants

View Source
const (
	// Type of this signer is "pgp", which represents a signer
	// that uses the native golang.org/x/crypto/openpgp to sign
	// data
	Type = "pgp"
)

Variables

This section is empty.

Functions

func Unmarshal

func Unmarshal(sigstr string) (signer.Signature, error)

Unmarshal also does very little. It simply converts the armored signature from a string to an []byte, but doesn't attempt to parse it, and returns it as a Signature

Types

type Options

type Options struct {
}

Options are not implemented for this signer

type PGPSigner

type PGPSigner struct {
	signer.Configuration
	// contains filtered or unexported fields
}

PGPSigner holds the configuration of the signer

func New

func New(conf signer.Configuration) (s *PGPSigner, err error)

New initializes a pgp signer using a configuration

func (*PGPSigner) Config

func (s *PGPSigner) Config() signer.Configuration

Config returns the configuration of the current signer

func (*PGPSigner) GetDefaultOptions

func (s *PGPSigner) GetDefaultOptions() interface{}

GetDefaultOptions returns default options of the signer

func (*PGPSigner) SignData

func (s *PGPSigner) SignData(data []byte, options interface{}) (signer.Signature, error)

SignData takes data and returns an armored signature with pgp header and footer

type Signature

type Signature struct {
	Data []byte
}

Signature is a PGP signature

func (*Signature) Marshal

func (sig *Signature) Marshal() (string, error)

Marshal doesn't do much for this signer. sig.Data already contains an armored signature, so we simply convert it to a string and return it

Source Files