PGP Signature verification?

We are currently passing hashed text into Vault and signing, verifying ok I think. However, I’m confused how someone without access to Vault could confirm the authenticity of, say, a file we have supplied them.

I.E.

  • SHA256 hash produced from file A
  • Hash is signed using a transit/key in Vault
  • File A is sent to customer

What does the customer need and how do they verify the file?

I have private/public encryption keys available in transit/key and also have the signature produced when I signed the File A hash

Is the public key all they need, and how do they confirm that it’s correct?

There is a GPG 3rd party plugin which more closely matches the type of information I was expecting to see e.g.

{
  "real_name": "John Doe",
  "email": "john.doe@example.com",
  "key_bits": 4096
}

…but I’m not hugely keen on 3rd party non-official plugins and it doesn’t seem to have any key rotation support built-in so we would have to roll our own :frowning:

Sorry this was a long time ago but I thought I’d drop in my blog post on this topic. This can be easily done with the Transit engine. If you’re doing a test on the cli/api there are examples here. Note that when using echo or redirection for testing you may hit issues with the implicit newline it adds, echo -n preferred.