[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[[["\u003cp\u003eThe system utilizes Google Distributed Cloud (GDC) air-gapped to the KMS through a gRPC client for sign and verify operations.\u003c/p\u003e\n"],["\u003cp\u003eUsers need the KMS Developer (\u003ccode\u003ekms-developer\u003c/code\u003e) role in their project namespace to obtain the necessary permissions for signing data.\u003c/p\u003e\n"],["\u003cp\u003eData signing is performed using the \u003ccode\u003egdcloud kms keys asymmetric-sign\u003c/code\u003e command, which requires specifying the key name, input file path, and output signature file path.\u003c/p\u003e\n"],["\u003cp\u003eData verification is done using the \u003ccode\u003egdcloud kms keys asymmetric-verify\u003c/code\u003e command, confirming the validity of the base64 encoded digital signature from the signing process.\u003c/p\u003e\n"],["\u003cp\u003eThe verification process might fail if the input or signature file paths are incorrect or if the signature file is empty.\u003c/p\u003e\n"]]],[],null,["# Sign and verify data\n\nThe AO performs sign and verify operations through Google Distributed Cloud (GDC) air-gapped\nto the KMS through a gRPC client.\n\nBefore you begin\n----------------\n\nTo get the required permissions to sign data, ask your Organization IAM Admin to\ngrant you the KMS Developer (`kms-developer`) role in your project namespace.\n\nSign data\n---------\n\nTo sign data, use the `gdcloud kms keys asymmetric-sign` command. This command\ncreates a digital signature of an input file using the `Signing` key, and saves\nthe base64 encoded signature.\n\n- To sign your data, pass in the key name and the following:\n\n gdcloud kms keys asymmetric-sign \\\n namespaces/\u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e/signingKeys/\u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e \\\n --input-file=\u003cvar translate=\"no\"\u003eINPUT_PATH\u003c/var\u003e \\\n --signature-file=\u003cvar translate=\"no\"\u003eSIGNATURE_FILE\u003c/var\u003e\n\n Replace the following variables:\n - \u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e: the project namespace---for example: `kms-test1`.\n - \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e: the name of the key used to sign---for example: `key-1`.\n - \u003cvar translate=\"no\"\u003eINPUT_PATH\u003c/var\u003e: the path of the input file you want to have signed.\n - \u003cvar translate=\"no\"\u003eSIGNATURE_FILE\u003c/var\u003e: the path of the output file to save the base64 encoded signature.\n\n After running the command, you see an output file you specified in the\n `--signature-file` flag that contains the base64 encoded signature.\n\nVerify data\n-----------\n\nAfter signing your data, verify the base64 digital signature using\nthe `gdcloud kms keys asymmetric-verify` command. This command verifies whether\nor not the base64 encoded digital signature you receive after running the\n`gdcloud kms keys asymmetric-sign` command is valid.\n\n- To verify the signature, pass in the signature file and the following:\n\n gdcloud kms keys asymmetric-verify \\\n namespaces/\u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e/signingKeys/\u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e \\\n --input-file=\u003cvar translate=\"no\"\u003eINPUT_PATH\u003c/var\u003e \\\n --signature-file=\u003cvar translate=\"no\"\u003eSIGNATURE_FILE\u003c/var\u003e\n\n After running the command, you see the output `Verification OK` if\n successful. If not successful, you see the failure output\n `Verification Failure`.\n\n| **Note:** The failure output `Verification Failure` might result if the paths of the signature and input files are not correct, and if the signature file is empty."]]