Skip to content

signing

OpenPGP/WKD release signing and verification as a light, dependency-inverted Go library.

signing is the same trust model that backs gtb update, extracted so any project can verify signed releases — or sign its own — without pulling in the go-tool-base framework.

import "gitlab.com/phpboyscout/signing/verify"

The light-footprint promise

The module graph is deliberately tiny. go.mod declares go-crypto and cockroachdb/errors and nothing else: no cloud SDK, no web framework, no go-tool-base. Heavy or remote signing backends (AWS KMS, GCP, Azure, an HSM) are defined as an interface and injected by the consumer, so they never enter your dependency graph unless you opt in. See Why backends are injected.

The library leans on the standard library at every seam:

  • crypto.Signer for keys (works with an in-memory RSA key or a remote KMS handle),
  • *slog.Logger for logging (nil disables it),
  • *http.Client for WKD fetches (nil uses a stdlib client with a 30s timeout).

Who it is for

  • Consumers verifying signed releases — e.g. afmpeg verifying the signed wasm release assets published by ffmpeg-wasi.
  • Any non-framework Go project that wants release-asset integrity without adopting a CLI framework.
  • Publishers signing their own release manifests via the reference local backend or a custom KMS/HSM backend.

Verify a release in ten lines

priv, _ := rsa.GenerateKey(rand.Reader, 3072)
now := time.Unix(0, 0)
pub, _ := openpgpkey.ArmoredPublicKey(priv, "Release", "[email protected]", now)
manifest := []byte("sha256  ffmpeg.wasm  0xc0ffee\n")
sig, _ := openpgpkey.DetachSign(priv, pub, bytes.NewReader(manifest), now)

trust, _ := verify.LoadTrustSet(pub)
err := trust.VerifyManifestSignature(manifest, sig) // nil == verified

In production you embed the publisher's armoured public key at build time rather than generating one; the verification call is identical.

Where to go next

The documentation follows the Diátaxis framework: