I'm playing with writing a Go program that downloads and verifies files. I am hoping to avoid forcing the user to install gnupg (if possible).
Is it possible to verify a downloaded file with a gpg signature (asc file) as described here or here using Go's openpgp lib or some other Go library?
Any examples demonstrating how to use openpgp to verify a file with an asc signature would be appreciated.
I was able to verify a gpg signature using the following code:
package main
import (
"fmt"
"golang.org/x/crypto/openpgp"
"os"
)
func main() {
keyRingReader, err := os.Open("signer-pubkey.asc")
if err != nil {
fmt.Println(err)
return
}
signature, err := os.Open("signature.asc")
if err != nil {
fmt.Println(err)
return
}
verification_target, err := os.Open("mysql-5.7.9-win32.zip")
if err != nil {
fmt.Println(err)
return
}
keyring, err := openpgp.ReadArmoredKeyRing(keyRingReader)
if err != nil {
fmt.Println("Read Armored Key Ring: " + err.Error())
return
}
entity, err := openpgp.CheckArmoredDetachedSignature(keyring, verification_target, signature)
if err != nil {
fmt.Println("Check Detached Signature: " + err.Error())
return
}
fmt.Println(entity)
}
Full code: https://gist.github.com/lsowen/d420a64821414cd2adfb
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With