3

In looking at the Crypto Library I see it has the capability to sign data.

Does anyone know if a PGP compatible signature is as simple as ASCII armoring the output of the Crypto Library's sign command?

I have an application that needs to sign and only sign data using PGP. I've looked at the OpenGPGJS project; but it blows up when I Webpack my application.

I've been trying to use kbgpg, but their documentation isn't that great, and when I follow their default example on signing data that signature isn't even recognized as a signature when I attempt to use Kleopatra to validate everything was correct. This is even if I change the "GPG MESSAGE" block to instead be a "PGP SIGNATURE" block.

Since I don't need the encryption, just signature, I was thinking that using the Crypto library directly may be the most simple solution here, but I'm having a difficult time finding documentation to validate it can be done easily.

Jens Erat
  • 37,523
  • 16
  • 80
  • 96
Doug
  • 6,446
  • 9
  • 74
  • 107
  • were you ever successful in your quest to create an alternative to OpenPGPjs and kbpgp? I too am looking for a way to validate PGP signatures in JavaScript. – William Hilton Oct 26 '18 at 07:42

1 Answers1

1

While OpenPGP uses a special mode of operation for encryption (the OpenPGP CFB mode), there are no special algorithms used for signing documents. RFC 4880, OpenPGP defines how OpenPGP messages have to be composed -- in theory, that's all you need to know to export messages in the OpenPGP format. You might even be able to skip a lot of special cases, especially if you also can control what keys are used (and their technical specifics) to sign the information.

But you will have to put together own code to write the OpenPGP message format, which is pretty much what OpenPGPJS and others are doing already. But doing proper cryptography is very complicated, and there are many ways to do things wrong. Don't write your own crypto code, especially not as a side project.

Finally, looking at the code I'm rather sure kbpgp does not export BEGIN GPG MESSAGE headers. It might well print BEGIN PGP MESSAGE headers, and this is the correct header when signatures are combined with the signed content. Changing this to BEGIN PGP SIGNATURE will result in an invalid header for the message's contents.

Community
  • 1
  • 1
Jens Erat
  • 37,523
  • 16
  • 80
  • 96
  • I have absolutely no interest in rolling my own crypto. I'm just trying to figure out the least path of resistance here for getting something doing PGP signing in a standard way as quickly as possible. Thank-you for confirming my suspicions, that it is more complicated to use the crypto library than it might at first seem. – Doug Jun 30 '17 at 18:26
  • If you're unsure what's going wrong with kbpgp, have a look at the output of `gpg --list-packets` or `pgpdump` for kbpgp's output. Both print the same information in different very technical representations, but enable you to understand what exactly is inside the message (and help at understanding whether and why you did not get the expected output). You will have to dig through RFC 4880, anyway. I cannot help you at deciding what library to use -- neither do I have experience with any of the libraries, nor am I a JavaScript developer at all. – Jens Erat Jun 30 '17 at 18:30