PGP Signature verification?

We are currently passing hashed text into Vault and signing, verifying ok I think. However, I’m confused how someone without access to Vault could confirm the authenticity of, say, a file we have supplied them.

I.E.

  • SHA256 hash produced from file A
  • Hash is signed using a transit/key in Vault
  • File A is sent to customer

What does the customer need and how do they verify the file?

I have private/public encryption keys available in transit/key and also have the signature produced when I signed the File A hash

Is the public key all they need, and how do they confirm that it’s correct?

There is a GPG 3rd party plugin which more closely matches the type of information I was expecting to see e.g.

{
  "real_name": "John Doe",
  "email": "john.doe@example.com",
  "key_bits": 4096
}

…but I’m not hugely keen on 3rd party non-official plugins and it doesn’t seem to have any key rotation support built-in so we would have to roll our own :frowning: