Verify gpg signature in Go openpgp

Question

Verify gpg signature in Go openpgp

I play with writing a Go program that downloads and validates files. I hope to avoid using gnupg by the user (if possible).

Is it possible to check the downloaded file with the gpg signature (asc file) as described here or here using the Go openpgp lib or some other Go library?

It is understood that any examples demonstrating how to use openpgp to verify a file with a signature are signed.

+7

go gnupg openpgp

mikewilliamson Nov 27 '15 at 18:48

source share

1 answer

lsowen · Accepted Answer · 2015-11-30T21:28:54+0000

I was able to verify the gpg signature using the following code:

package main import ( "fmt" "golang.org/x/crypto/openpgp" "os" ) func main() { keyRingReader, err := os.Open("signer-pubkey.asc") if err != nil { fmt.Println(err) return } signature, err := os.Open("signature.asc") if err != nil { fmt.Println(err) return } verification_target, err := os.Open("mysql-5.7.9-win32.zip") if err != nil { fmt.Println(err) return } keyring, err := openpgp.ReadArmoredKeyRing(keyRingReader) if err != nil { fmt.Println("Read Armored Key Ring: " + err.Error()) return } entity, err := openpgp.CheckArmoredDetachedSignature(keyring, verification_target, signature) if err != nil { fmt.Println("Check Detached Signature: " + err.Error()) return } fmt.Println(entity) }

Full code: https://gist.github.com/lsowen/d420a64821414cd2adfb

Verify gpg signature in Go openpgp

More articles: