I'm developing a simple Java code that, using BouncyCastle v1.51, opens a PGP public key and verifies the signatures contained in it. Currently, I'm able to load the public key and to iterate through all the signatures. However, the verification always returns "false", even if I test the signature using the public key that corresponds to the private key that produced the signature.
This is my code:
try {
PGPPublicKey pkey = PGPEncryptionUtils.readPublicKey(new FileInputStream(new File(HOME_DIR + "to_verify")));
Iterator it = pkey.getSignatures();
PGPPublicKey signing_key = PGPEncryptionUtils.readPublicKey(
new FileInputStream(new File(HOME_DIR + "my_public_key")));
while (it.hasNext()) {
PGPSignature sig = (PGPSignature) it.next();
sig.init(new JcaPGPContentVerifierBuilderProvider().setProvider("BC"), signing_key);
// Here I'd expect to see at least a "true".
println(sig.verify());
}
} catch (FileNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (PGPException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
The code for readPublicKey is taken from here: https://github.com/damico/OpenPgp-BounceCastle-Example/blob/master/src/org/jdamico/bc/openpgp/utils/PgpHelper.java.
What am I doing wrong? Thank you!
I don't have experience with PGPSignatures however to verify a signature in public key cryptography you need three things:
In your example the original message is missing, you need to provide the original message which was signed though PGPSignature.update(byte[]) method, so your code must looks something like:
while (it.hasNext()) {
PGPSignature sig = (PGPSignature) it.next();
sig.init(new >JcaPGPContentVerifierBuilderProvider().setProvider("BC"), signing_key);
// here you need the original message
sig.update("signature original message".getBytes());
// now you can try to verify!
println(sig.verify());
}
Hope this helps,