Skip to content

Latest commit

 

History

History
45 lines (27 loc) · 1.77 KB

README_VERIFICATION_KEY_SETUP.md

File metadata and controls

45 lines (27 loc) · 1.77 KB

How to Setup Signing and Verification Keys.

Signing and Verification Key Setup

Integrity Shield requires a key pair (signing and verification keys) for verifying integrity of resources deployed in a cluster. Integrity Shield supports X509 or PGP key for signing resources. A secret resource (keyring-secret) which contains public key and certificates should be setup in a cluster for enabling signature verification by Integrity Shield.

This document uses gpg key for setting up signing and verification key.

The following steps show how to setup a GPG key and how you can export your pubkey to a file.

GPG Key Setup

First, you need to setup GPG key.

If you do not have any PGP key or you want to use new key, generate new one and export it to a file. See this GitHub document.

The following example shows how to generate GNUPG key (with your email address e.g. [email protected])

    gpg --full-generate-key

Confirm if key is avaialble in keyring

    gpg -k [email protected]
    gpg: checking the trustdb
    gpg: marginals needed: 3  completes needed: 1  trust model: pgp
    gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
    pub   rsa2048 2020-01-27 [SC]
          9D96363D64B579F077AD9446D57583E19B793A64
    uid           [ultimate] Signer <[email protected]>
    sub   rsa2048 2020-01-27 [E]

Then, you need to export a public key to a file. The following example shows a pubkey for a signer identified by an email [email protected] is exported and stored in /tmp/pubring.gpg. (Use the filename pubring.gpg.)

$ gpg --export [email protected] > /tmp/pubring.gpg