This project lets you create PGP-compatible signatures using Azure Keyvault asymmetric keys. It should be considered experimental.
The code comes from https://github.com/heptiolabs/google-kms-pgp, who figured all of this out. I just rewrote it to use Azure Keyvault. This is not an official Microsoft project.
$ go get -u -v github.com/jepio/azure-keyvault-pgp
[...]
$ azure-keyvault-pgp
usage: azure-keyvault-pgp --export|--sign|--clearsign
-a, --armor output in ascii armor
--clearsign sign a message in clear text
--comment string comment associated with the key
-b, --detach-sign make a detached signature
--email string email associated with the key
--export export public key
-u, --local-user string name of key to sign with
--name string name associated with the key
-o, --output string write output to file (use - for stdout)
-s, --sign sign a message
This binary has two modes of execution:
-
--export
: generates and exports a PGP-compatible public key from a Azure Keyvault key. -
--sign|--clearsign
: signs input using the Azure Keyvault key, producing a PGP signature.
$ az login
$ export AZURE_KEYVAULT_URL=https://<keyvault-name>.vault.azure.net
$ azure-keyvault-pgp --export \
--name "My User" \
--comment "A comment about my key" \
--email "myuser@example.com" \
--armor \
--output my-public-key.asc \
my-key
$ gpg --import my-public-key.asc
gpg: key 6014DEDCDEC1EF5F: "My User (A comment about my key) <myuser@example.com>" 1 new user ID
gpg: key 6014DEDCDEC1EF5F: "My User (A comment about my key) <myuser@example.com>" 1 new signature
gpg: Total number processed: 1
gpg: new user IDs: 1
gpg: new signatures: 1
You can import this key into GPG using gpg --import my-public-key.asc
and optionally mark it trusted using gpg --edit-key 6014DEDCDEC1EF5F
$ az login
$ export AZURE_KEYVAULT_URL=https://<keyvault-name>.vault.azure.net
$ azure-keyvault-pgp --sign \
--detach-sign \
--armor \
--local-user my-key \
hello.txt
$ gpg --verify hello.txt.asc hello.txt
gpg: Signature made Fri Aug 31 11:48:35 2018 CDT
gpg: using RSA key 6014DEDCDEC1EF5F
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 2 signed: 5 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1 valid: 5 signed: 5 trust: 5-, 0q, 0n, 0m, 0f, 0u
gpg: Good signature from "My User (A comment about my key) <myuser@example.com>" [ultimate]