Code Monkey home page Code Monkey logo

remote-signer's Introduction

Quanto Remote Signer (QRS)

MIT License

A simple Web Server to act as a GPG Creator / Signer / Verifier. This abstracts the use of the GPG and makes easy to sign / verify any GPG document using just a POST request.

Please notice that this application is NOT inteded to ran public in the internet. This is inteded to be a helper service to your application be able to sign / verify data (same as local gpg in the system). Because of that, it only listens for localhost.

It is used internally the racerxdl's AppServer to provide a REST web server. It is authorized by the owner to be licensed at MIT here (check the Owner Signature at the commit that adds this README as the proof)

If you want to use RethinkDB SKS Driver please check the license of RethinkDb.Driver since for SSL/TLS connections to rethinkdb (for an unknown reason) you need to pay a license fee.


  • Increment this document with models and enums


This application opens up a WebServer listening on port 5100 and have a base URL defined as /remoteSigner.

Setting up GPG Private Keys

By default QRS searchs for encrypted private keys at ./keys. Put all the private keys you want to use in Encrypted Ascii Armored Format inside it. It will iterate over all files and load them. If you don't have one, you can either create using the gpg toolkit or by calling the create api. Notice that calling the create API does not automatically store the key at the keys folder.

The keys folder can be overrided by the PRIVATE_KEY_FOLDER environment variable.

Creating a GPG Key

Although creating a GPG Key here might not be a good idea, you can use QRS to generate new GPG Keys on the fly. To do so, make a POST request to /remoteSigner/gpg/generateKey with the following JSON Content:

  "Identifier": "Lucas Teske <[email protected]>",
  "Password": "123456",
  "Bits": 3072

It should return your Encrypted GPG Private Key in ASCII Armored format.

Version: BCPG C# v1.8.1.0


Unlocking a Private Key

Before any sign operation can be done, you need to decrypt the loaded private keys. If the keys is stored in a non-encrypted format (no password) you don't need to do that step. Simple call /remoteSigner/gpg/unlockKey with the following JSON payload:

  "FingerPrint": "D7362B4CC546DB11",
  "Password": "123456"

Signing Data

For signing data, the first thing is to make sure the key is loaded and decrypted. Then encode the data you want to sign in Base64. Let's take for example the following text to sign:

Terrible connections lead to terrible users

We can base64 encode (for example in shellscript):

echo "Terrible Connections lead to Terrible Users" | base64

And make a POST request to /remoteSigner/gpg/sign with the following JSON payload:

  "Base64Data": "VGVycmlibGUgQ29ubmVjdGlvbnMgbGVhZCB0byBUZXJyaWJsZSBVc2Vycwo=",
  "FingerPrint": "D7362B4CC546DB11"

Leading to a Ascii Armored GPG Detached Signature:

Version: BCPG C# v1.8.1.0


You might also want to get directly into Quanto Signature format (FingerPrint_Hash_Signature). For doing so you can send the same payload to /remoteSigner/gpg/signQuanto leading to:


Verifing Signatures

The process to verify a signature is similar to signing data. First you need to make sure the public key is loaded into the server (if the private key is, the public is as well) or it is available in the specified SKS Server and then encode the test data in Base64 format and POST the following payload to /remoteSigner/gpg/verifySignature

  "Base64Data": "VGVycmlibGUgQ29ubmVjdGlvbnMgbGVhZCB0byBUZXJyaWJsZSBVc2Vycwo=",
  "signature":"-----BEGIN PGP SIGNATURE-----\nVersion: BCPG C# v1.8.1.0\n\niQIcBAABCgAGBQJaalMSAAoJENc2K0zFRtsRuxEQAKPz46GpBYvZY99dqfylo/ux\nOcbFx0U/jWnXACEsz4KbfIaKqTNQLNOApt7vC+PTeK18Bx3i6lLDq5s0T56ZZS07\n+12/8qWfq08LOTANtrMetmOP1znaJpzmWzpxCp8t/pTowt1RZJUfGC5zdxoxMLB8\nu3siSbbqSxPlOYx7yfNnJqE7KagHn83WdZYIQTFBYZESqfEhjmazERui+g3YKF74\nUlr8Ey0kIFptVa/DdsIQwgCMjDalWB6zdX8xLiLqH0pRAOSmiMcU7cX8vWSAlC5S\nl7uoam6azzyc/kAYBaBd+3/YORDu6vlnNvHtj6D1cvff0ahinnKHb2gxqN+cBUbL\nNlpBSRKwd5i/O504BjGOplp31rCbza+0vs0lvbQ2/ZMH1HaspuO3I8jdZQpaMxR4\n6GWf9/+clg8SxkNgbaKj8pRHnzvrjEOaEfYNXxdjMV4LgXX6pjZtZi47AfHqXPWc\n/pw7YSG6yJLF4n+Egky/thvoVQHR3GM10VXvUjYVTRdEaxO2P9MpWYLD8Fqa6rMo\nzVNXtCMKtej5Y5qQHMCFcKafG1J0TXPfsqnYCSsG2PpdDsZhz5r6eKgu5LZqN5yO\ntRylJnBDJuE8yweNYBDYWWAMoo1ApziRUItNI5el1I0DC+vwaM4Vxurywjxhcy4q\nHTlBXAdXKpVLINxkRSKy\n=YK2F\n-----END PGP SIGNATURE-----" 

In case of success, it will return an OK. In case of failure it will return an ErrorObject with an errorCode field INVALID_SIGNATURE.

You might also want to verify in Quanto Signature format. To do so, you can send the same payload with the signature field containing the Quanto Signature you want to verify to /remoteSigner/gpg/verifySignatureQuanto.

  "Base64Data": "VGVycmlibGUgQ29ubmVjdGlvbnMgbGVhZCB0byBUZXJyaWJsZSBVc2Vycwo=",

Adding Encrypted Private Key through API

To add a private key, you can make a POST to /remoteSigner/keyRing/addPrivateKey with the following payload:

  "EncryptedPrivateKey": "-----BEGIN PGP PRIVATE KEY BLOCK-----\nVersion: GnuPG (...) JSlmyLSuTHXzeKo72hP40y3Xkf\nuugqVOWHeE7v7ARMu1mhXS6qWzZmxsjixV1d0kXSo9LzUyFqNtkasUiL2aoXQ70z\nlbMia0X7KJbYnbG5XLEDiMjzDQ==\n=JwWd\n-----END PGP PRIVATE KEY BLOCK-----",
  "SaveToDisk": true

The SaveToDisk parameter tells the server to save that private keys in the KeysFolder.

List Cached Public Keys

Execute GET to /remoteSigner/keyRing/cachedKeys


        "FingerPrint": "D7362B4CC546DB11",
        "Identifier":"Benchmark Test Key",
        "Bits": 4096,
        "ContainsPrivateKey": false,
        "PrivateKeyDecrypted": false

List Loaded Private Keys

Execute GET to /remoteSigner/keyRing/privateKeys


        "FingerPrint": "D7362B4CC546DB11",
        "Identifier": "Benchmark Test Key",
        "Bits": 4096,
        "ContainsPrivateKey": true,
        "PrivateKeyDecrypted": false

Encrypt Data using public key

Ensure that the public key you want to use is loaded and execute POST to /remoteSigner/gpg/encrypt with following payload:

  "Base64Data": "eyJxdWVyeSI6InF1ZXJ5IHsgR2V0QmFua1N5c3RlbVN0YXR1cyAoYmFua051bWJlcjogXCI2MzNcIikgfSJ9Cg==",
  "FingerPrint": "870AFA59"


Version: BCPG C# v1.8.1.0


Decrypt Data using decrypted private key

Ensure that the private key from the data you're trying to decrypt is loaded and decrypted, then execute a POST to /remoteSigner/gpg/decrypt with the following payload:

  "AsciiArmoredData": "-----BEGIN PGP MESSAGE-----\nVersion: BCPG C# v1.8.1.0\n\nhQILAwAWqcqHCvpZAQ/4vF53gHVus8aKyKGkzb7jn2R4aZB3KCQ08S2xhAUvZFF8\n0qaeLxPGDdOo4X43zNmOvfIth4IwnDFF/SlD6E9ToxI+oDBC2hU92GyQZmlrb0dm\nHfVtKxCP9D6bAUHb9/G2QrbLSwov7TKlYs4gcqv72Lh4It8wVZaUm+qWb1EL4I33\nM+RHPSkmDPpCVWJxPQv/5Bt0h48wX9V7JtFc2FXJgJhYyrRxxIEFDcof4jdbvH/2\ncd5DDoLJPq3w4R4GKLxgQisgK2fp9jsl5AUzBiNy++l80rJW3m9TL3hLHUqqvL2R\nZrglp5KCR367uB0b6H+oXCRkxsgulTtXWM111HfTEJ0FYkYMfjxwYLdgjeduilhP\n7bkLDXFJgR3TaxHweUx4tOYRREsRSnzlDEDt+RdCHnP27mn/8QOi2wzi5zTP/KIr\nHlNfb+yw1BlFS5swFp+QLj7/QfkZefsneQC+zKfzyV9Hyz0b5tqXmsn+aVREF9D7\nQpqbEyHO1E/amz0hPIqu8CIIxr9Exmjxj5jV4MRgqVZ+5ukjiahG4jnnGuMPMvlp\nYjdZ1lAq0LDs+XSf9QbZE63j4YDT5tuJXNhUYojhb+DSSlL5LmQCuzTtZLNZaS+S\n26fQ5R3NYTWsJF3gvqwyXCr/49gYDxU2YNOBGdHGvOsDqnqchceRqWXfCJ8QlNKG\nAXLylUqQH0y58X0DTbEUEDtKRHAk42f9hicpxQY0FfnrUnggIBFubs385k6LIIDR\n4Xs6LwwjGFT9XqWzNa7adi+60sfrlN2iTYRZJGsNdvGmnMTClS0e6i6rlgQJAqHe\nl5rf7WGniCF+sAjxmbJ53TPBrh/sUlMMl0acXmXz4EZxnaENBJg=\n=n4Ks\n-----END PGP MESSAGE-----",


  "FingerPrint": "0016A9CA870AFA59",
  "Base64Data": "eyJxdWVyeSI6InF1ZXJ5IHsgR2V0QmFua1N5c3RlbVN0YXR1cyAoYmFua051bWJlcjogXCI2MzNcIikgfSJ9Cg==",
  "Filename": "QuantoEncrypt-1518071090398.bin",
  "IsIntegrityProtected": true,
  "IsIntegrityOK": true

Environment Variables

These are the Environment Variables that you can set to manage the webserver:

  • SYSLOG_IP => IP of the Syslog Server to send Console Messages (defaults to '') Does not apply for Windows
  • SYSLOG_FACILITY => Facility of the Syslog to use. (defaults to 'LOG_USER')
  • PRIVATE_KEY_FOLDER => Folder to load / store encrypted private keys. (defaults to './keys')
  • SKS_SERVER => SKS Server to fetch / put public keys. (defaults to '')
  • MAX_KEYRING_CACHE_SIZE => Maximum Number of Public Keys to cache (does not include Private Keys derived Public Keys). (defaults to 1000)


For Windows

Just use the newest version of Visual Studio and hit build. You should have a executable in folder bin/Debug or bin/Release.

For Linux

You will need mono and nuget. On Ubuntu 16.04 you can run:

sudo apt install mono-complete nuget
git clone
cd remote-signer
nuget restore
msbuild /p:Configuration=Release
mkdir binaries
cp RemoteSigner/bin/Release/* binaries
mkdir binaries/keys
cd binaries

Aditionally, you can compile an executable that does not need mono to be ran by using mkbundle:

mkbundle -z --static --deps RemoteSigner.exe -L /usr/lib/mono/4.5 -o RemoteSigner

This will generate a static binary called RemoteSigner.

For Mac

You will need mono and nuget. With Brew you can run:

brew install mono nuget
git clone
cd remote-signer
nuget restore
xbuild /p:Configuration=Release
cd RemoteSigner/bin/Release/
mkdir keys
mono RemoteSigner.exe

Aditionally, you can compile an executable that does not need mono to be ran by using mkbundle:

export CC="cc -framework CoreFoundation -lobjc -liconv "
mkbundle -z --static --deps RemoteSigner.exe -L /usr/local/Cellar/mono/ -o RemoteSigner

This will generate a static binary called RemoteSigner.

Enabling Syslog Support

To be able to output to syslog, you need to add UDP support to syslog server.

Edit the file /etc/rsyslog.conf and search for these lines:

# provides UDP syslog reception
#input(type="imudp" port="514")

If you find, uncomment the last two, if you dont find, just add to the end of the file.

# provides UDP syslog reception
input(type="imudp" port="514")

Then restart syslog. On Ubuntu: service rsyslog restart

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.