We are currently passing hashed text into Vault and signing, verifying ok I think. However, I’m confused how someone without access to Vault could confirm the authenticity of, say, a file we have supplied them.
I.E.
- SHA256 hash produced from file A
- Hash is signed using a transit/key in Vault
- File A is sent to customer
What does the customer need and how do they verify the file?
I have private/public encryption keys available in transit/key and also have the signature produced when I signed the File A hash
Is the public key all they need, and how do they confirm that it’s correct?
There is a GPG 3rd party plugin which more closely matches the type of information I was expecting to see e.g.
{
"real_name": "John Doe",
"email": "john.doe@example.com",
"key_bits": 4096
}
…but I’m not hugely keen on 3rd party non-official plugins and it doesn’t seem to have any key rotation support built-in so we would have to roll our own