Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
AO melakukan operasi penandatanganan dan verifikasi melalui Google Distributed Cloud (GDC) dengan air gap ke KMS melalui klien gRPC.
Sebelum memulai
Untuk mendapatkan izin yang diperlukan untuk menandatangani data, minta Admin IAM Organisasi Anda untuk memberi Anda peran KMS Developer (kms-developer) di namespace project Anda.
Menandatangani data
Untuk menandatangani data, gunakan perintah gdcloud kms keys asymmetric-sign. Perintah ini
membuat tanda tangan digital file input menggunakan kunci Signing, dan menyimpan
tanda tangan berenkode base64.
Untuk menandatangani data Anda, teruskan nama kunci dan hal berikut:
KEY_NAME: nama kunci yang digunakan untuk menandatangani—misalnya: key-1.
INPUT_PATH: jalur file input yang ingin Anda
tandatangani.
SIGNATURE_FILE: jalur file output untuk menyimpan tanda tangan berenkode base64.
Setelah menjalankan perintah, Anda akan melihat file output yang ditentukan di tanda
--signature-file yang berisi tanda tangan berenkode base64.
Verifikasi data
Setelah menandatangani data, verifikasi tanda tangan digital base64 menggunakan
perintah gdcloud kms keys asymmetric-verify. Perintah ini memverifikasi apakah
tanda tangan digital berenkode base64 yang Anda terima setelah menjalankan perintah
gdcloud kms keys asymmetric-sign valid atau tidak.
Untuk memverifikasi tanda tangan, teruskan file tanda tangan dan yang berikut ini:
Setelah menjalankan perintah, Anda akan melihat output Verification OK jika berhasil. Jika tidak berhasil, Anda akan melihat output kegagalan
Verification Failure.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-04 UTC."],[[["\u003cp\u003eThe system utilizes Google Distributed Cloud (GDC) air-gapped to the KMS through a gRPC client for sign and verify operations.\u003c/p\u003e\n"],["\u003cp\u003eUsers need the KMS Developer (\u003ccode\u003ekms-developer\u003c/code\u003e) role in their project namespace to obtain the necessary permissions for signing data.\u003c/p\u003e\n"],["\u003cp\u003eData signing is performed using the \u003ccode\u003egdcloud kms keys asymmetric-sign\u003c/code\u003e command, which requires specifying the key name, input file path, and output signature file path.\u003c/p\u003e\n"],["\u003cp\u003eData verification is done using the \u003ccode\u003egdcloud kms keys asymmetric-verify\u003c/code\u003e command, confirming the validity of the base64 encoded digital signature from the signing process.\u003c/p\u003e\n"],["\u003cp\u003eThe verification process might fail if the input or signature file paths are incorrect or if the signature file is empty.\u003c/p\u003e\n"]]],[],null,["# Sign and verify data\n\nThe AO performs sign and verify operations through Google Distributed Cloud (GDC) air-gapped\nto the KMS through a gRPC client.\n\nBefore you begin\n----------------\n\nTo get the required permissions to sign data, ask your Organization IAM Admin to\ngrant you the KMS Developer (`kms-developer`) role in your project namespace.\n\nSign data\n---------\n\nTo sign data, use the `gdcloud kms keys asymmetric-sign` command. This command\ncreates a digital signature of an input file using the `Signing` key, and saves\nthe base64 encoded signature.\n\n- To sign your data, pass in the key name and the following:\n\n gdcloud kms keys asymmetric-sign \\\n namespaces/\u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e/signingKeys/\u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e \\\n --input-file=\u003cvar translate=\"no\"\u003eINPUT_PATH\u003c/var\u003e \\\n --signature-file=\u003cvar translate=\"no\"\u003eSIGNATURE_FILE\u003c/var\u003e\n\n Replace the following variables:\n - \u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e: the project namespace---for example: `kms-test1`.\n - \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e: the name of the key used to sign---for example: `key-1`.\n - \u003cvar translate=\"no\"\u003eINPUT_PATH\u003c/var\u003e: the path of the input file you want to have signed.\n - \u003cvar translate=\"no\"\u003eSIGNATURE_FILE\u003c/var\u003e: the path of the output file to save the base64 encoded signature.\n\n After running the command, you see an output file you specified in the\n `--signature-file` flag that contains the base64 encoded signature.\n\nVerify data\n-----------\n\nAfter signing your data, verify the base64 digital signature using\nthe `gdcloud kms keys asymmetric-verify` command. This command verifies whether\nor not the base64 encoded digital signature you receive after running the\n`gdcloud kms keys asymmetric-sign` command is valid.\n\n- To verify the signature, pass in the signature file and the following:\n\n gdcloud kms keys asymmetric-verify \\\n namespaces/\u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e/signingKeys/\u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e \\\n --input-file=\u003cvar translate=\"no\"\u003eINPUT_PATH\u003c/var\u003e \\\n --signature-file=\u003cvar translate=\"no\"\u003eSIGNATURE_FILE\u003c/var\u003e\n\n After running the command, you see the output `Verification OK` if\n successful. If not successful, you see the failure output\n `Verification Failure`.\n\n| **Note:** The failure output `Verification Failure` might result if the paths of the signature and input files are not correct, and if the signature file is empty."]]