Verifying GPG signature | Java Community | Help. Code. Learn. | Page 1

feral inlet Jul 12, 2024, 10:12 PM

#

I am trying to verify the GPG signature of a file provided the public key. I am using Kotlin though but the issue is not Kotlin specific, so I didn't know if I should post it here, or in a Kotlin related server. I use the BouncyCaste API. I have verified the signature with GPG but am unable to do it corectly via the BC API. Here is my code:

fun verify(
    fileBytes: ByteArray,
    signatureInputStream: InputStream,
    publicKeyFileInputStream: InputStream,
    publicKeyId: Long,
) = getSignature(signatureInputStream).apply {
    init(BcPGPContentVerifierBuilderProvider(), getPublicKey(publicKeyFileInputStream, publicKeyId))
    update(fileBytes)
}.verify()

private fun getPublicKey(
    publicKeyFileInputStream: InputStream,
    publicKeyId: Long,
): PGPPublicKey {
    val decoderStream = PGPUtil.getDecoderStream(publicKeyFileInputStream)

    val pgpPublicKeyRingCollection = PGPPublicKeyRingCollection(decoderStream, BcKeyFingerprintCalculator())
    val publicKeyRing = pgpPublicKeyRingCollection.getPublicKeyRing(publicKeyId)
        ?: throw IllegalArgumentException("Can't find public key ring with ID $publicKeyId.")

    return publicKeyRing.getPublicKey(publicKeyId)
        ?: throw IllegalArgumentException("Can't find public key with ID $publicKeyId.")
}

private fun getSignature(inputStream: InputStream): PGPSignature {
    val decoderStream = PGPUtil.getDecoderStream(inputStream)

    val pgpSignatureList = PGPObjectFactory(decoderStream, BcKeyFingerprintCalculator()).first {
        it is PGPSignatureList
    } as PGPSignatureList

    return pgpSignatureList.first()
}

fun main() {
    verify(
        fileBytes = File("file").readBytes(),
        signatureInputStream = File("sign").inputStream(),
        publicKeyFileInputStream = File("pub").inputStream(),
        publicKeyId = 3897925568445097277,
    ).let {
        print(it) // false
    }
}

rocky radishBOT Jul 12, 2024, 10:12 PM

#

⌛ This post has been reserved for your question.

Hey @feral inlet! Please use /close or the Close Post button above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically closed after 300 minutes of inactivity.

TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.

feral inlet Jul 12, 2024, 10:12 PM

#

I am assuming wrong usage of some BC API but I can not see which one could be the culprit

#

for reproduction, here's the files

📎 sign 📎 file

#

📎 pub

ionic phoenix Jul 12, 2024, 10:21 PM

#

Does the PGPSignature object contain what you expect?

#

same with the PGPPublicKey

feral inlet Jul 12, 2024, 10:39 PM

#

Seems i was using the wrong public key id

#

is there a way to use all public keys available or do you have to iterate through them

#Verifying GPG signature