I'm getting a zip file in flask POST request and I need to verify that the zip is PGP/GPG sign.
Is there any option to add signature file to the zip during the sign and verify this file?
How can I be sure no one changed the zip and the zip is OK?
Depends on https://www.gnupg.org/gph/en/manual/x135.html :
gpg --output doc.sig --sign doc
creates a .sig file including the zip file- what I don't want.
Here is my code, trying to do it using pgpy:
@app.route('/', methods=['POST'])
def verify_signature():
validate_files(flask.request.files)
return 'ok'
def validate_files(files):
public_key = pgpy.PGPKey.from_blob(os.environ['PUBLIC_KEY'])
for file in files.values():
file_like_object = file.stream._file
zipfile_ob = zipfile.ZipFile(file_like_object)
# is_pgp_signed(public_key, zipfile_ob) - how can I do that?
EDIT I found 'Detached signatures' option and it looks good for me- the sign is separate from the file being signed. But again- how can I verify the zip was not changed?