OpenPGP Signer

The OpenPGP signer has the fully qualified class name: org.signserver.module.openpgp.signer.OpenPGPSigner.

Overview

The OpenPGP signer can sign arbitrary data and produces an OpenPGP (RFC#4880) detached signature in binary or ASCII armored form or a cleartext signature.

Note that the OpenPGP signer does not use X.509 certificates. The OpenPGP public key can instead be obtained from the worker's status output. Additionally, the Generate CSR functionality allows adding a user ID to the public key and storing the new public key in the PGPPUBLICKEY worker property.

For step-by-step setup instructions, see Setting up OpenPGP Signer.

To download a sample configuration file for this worker, see Sample Worker Configurations.

For information on the interfaces this worker can be called through, see Supported Interfaces by Worker.

Available Properties

Required Property	Default	Description
DETACHEDSIGNATURE	None	Property specifying if a detached signature should be used or otherwise a clear-text signature. Examples: true, false.
Property	Default	Description
CERT_GEN_USE_LEGACY_RSA_SIGN	True	(Optional) `RSA_SIGN` is deprecated and replaced with `RSA_GENERAL`. If the flag is not explicitly set, the default value is true, and the legacy `RSA_SIGN` is used. However, if the flag is set to false in the `openpgpsigner.properties` file, new workers created from the properties file will use `RSA_GENERAL` instead. Using Legacy RSA_SIGN with CSR For backward compatibility, this flag can still be used during PGP certificate generation (via CSR generation in SignServer) to specify whether to use the legacy `RSA_SIGN` (algorithm ID 3) or the newer `RSA_GENERAL` (algorithm ID 1). However, when generating a CSR, the algorithm from the existing `PGPPUBLICKEY` is used. Therefore, if a `PGPPUBLICKEY` is already set, you need to change the `PGPPUBLICKEY` property. How to Change Algorithm To switch algorithms (effectively changing the public key): Set the CERT_GEN_USE_LEGACY_RSA_SIGN to true. Remove or rename the `PGPPUBLICKEY` worker property. Generate the CSR. The current algorithm is displayed on the worker status page, under `algorithm 1 = RSA_GENERAL`, `algorithm 3 = RSA_SIGN`).
DIGEST_ALGORITHM	SHA256	(Optional) Specifies the OpenPGP Hash Algorithm to use with the signature. Possible values are numeric or textual OpenPGP Hash Algorithms. Examples: "SHA256", "10".
GENERATE_REVOCATION_CERTIFICATE	False	(Optional) Setting this property to true switches the behavior of the generate CSR functionality to not add user ID / certification but instead generate an OpenPGP revocation certificate. The idea is to only switch this to true temporarily, generate the revocation certificate, and then switch it back to false. The header for the PGP public key block, `-----BEGIN PGP PUBLIC KEY BLOCK-----`, is prefixed by a colon to prevent accidentally importing a revocation certificate. Before importing the certificate, this colon must be removed so that line only contains the text `-----BEGIN PGP PUBLIC KEY BLOCK-----.`
PGPPUBLICKEY	Empty	(Optional) Property for storing the latest OpenPGP public key in ASCII armored form after adding user IDs / certifications to it. Remember to store the updated public key in this property so that the current user IDs are kept when new ones are added later on.
RESPONSE_FORMAT	ARMORED	(Optional) Specifies the format of the response, either binary or ASCII armored. The possible values are: BINARY ARMORED (Default) For clear-text signatures (such as, `DETACHEDSIGNATURE=false`), only ARMORED is a valid choice.
SELFSIGNED_VALIDITY	Empty	(Optional) The number of seconds the key is valid for after its creation. This property is used when a certification is added to the key so to extend the current validity, set a higher value and perform the certification again. An empty value or zero means that the key does not expire (default).