Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Verify gpg signature in Go openpgp

Tags:

go

gnupg

openpgp

I'm playing with writing a Go program that downloads and verifies files. I am hoping to avoid forcing the user to install gnupg (if possible).

Is it possible to verify a downloaded file with a gpg signature (asc file) as described here or here using Go's openpgp lib or some other Go library?

Any examples demonstrating how to use openpgp to verify a file with an asc signature would be appreciated.

like image 815
mikewilliamson Avatar asked Nov 27 '15 18:11

mikewilliamson


1 Answers

I was able to verify a gpg signature using the following code:

package main

import (
        "fmt"
        "golang.org/x/crypto/openpgp"
        "os"
)

func main() {
        keyRingReader, err := os.Open("signer-pubkey.asc")
        if err != nil {
                fmt.Println(err)
                return
        }

        signature, err := os.Open("signature.asc")
        if err != nil {
                fmt.Println(err)
                return
        }

        verification_target, err := os.Open("mysql-5.7.9-win32.zip")
        if err != nil {
                fmt.Println(err)
                return
        }

        keyring, err := openpgp.ReadArmoredKeyRing(keyRingReader)
        if err != nil {
                fmt.Println("Read Armored Key Ring: " + err.Error())
                return
        }
        entity, err := openpgp.CheckArmoredDetachedSignature(keyring, verification_target, signature)
        if err != nil {
                fmt.Println("Check Detached Signature: " + err.Error())
                return
        }

        fmt.Println(entity)
}

Full code: https://gist.github.com/lsowen/d420a64821414cd2adfb

like image 165
lsowen Avatar answered Sep 20 '22 15:09

lsowen