247 questions
0
votes
0
answers
41
views
How to sign ClickOnce manifest files (.application, .manifest) when using Google Cloud KMS for code signing?
I've successfully implemented code signing using Google Cloud KMS and jsign for executable files, but I'm unable to sign ClickOnce manifest files.
Current Setup
Certificate: Code signing certificate ...
- 3
2
votes
1
answer
151
views
How to get the latest key version in Google Cloud KMS?
Assuming you have a key name what is the best way to find the latest version of that key?
I had assumed:
masterKeyVersionIterator := client.ListCryptoKeyVersions(ctx, &kmspb....
- 504
-2
votes
1
answer
124
views
Migrate GCP Cloud Kms key from single region to multi regional [closed]
i have a key created in a GCP project using Cloud Kms, i use it to encrypt some data but at the time it was created it was done on a single region and now i would want to make it multi regional.
Is ...
0
votes
1
answer
102
views
Digest Mismatch when signing with pdfbox and GCP KMS
I'm trying to follow this guide to sign a pdf with Google Clouds KMS. When testing with pdfsig I get:
- Total document signed
- Signature Validation: Digest Mismatch.
Adobe Acrobat says:
...
- 3,110
1
vote
1
answer
137
views
Counterintuitive INVALID_ARGUMENT error in request to Google's KMS API
I am writing a Typescript, Node.js backend that interacts with Google's KMS API.
Drawing from the samples, I want to expose a function that creates an asymmetric RSA key for signing. My attempt looks ...
0
votes
0
answers
68
views
Github actions to GCP OIDC error: Permission 'cloudkms.keyRings.list' denied on resource
I followed the steps given at for the Direct Workload Identity Federation.
My yaml file includes:
- uses: 'google-github-actions/auth@v2'
with:
project_id: 'my-project'
...
- 632
0
votes
1
answer
225
views
Correct use of gcloud --sort-by combined with --limit
I'm using Google Cloud KMS, and I try to get the latest version of a specific asymmetric key with gcloud cli (v492.0). It seems that the --limit flag doesn't take into account the sorting direction ...
- 33
0
votes
1
answer
107
views
Tink is preferring to use AWS KMS system instead of Android keystore to storing keys
I am new to Tink and have a question as to why Tink is preferring external KMS like AWS KMS instead of using native Android Keystore.
There could be use cases where we don`t want to take keys outside ...
- 1,423
0
votes
0
answers
216
views
DETERMINISTIC_DECRYPT_STRING failed: Keyset deserialization failed: Error reading keyset data: Could not parse the input stream as a Keyset-proto
I have a data encryption key encrypted (DEK) that was used to encrypt some values using the algorithm AES256 and the encrypted values are in a BigQuery table.
I am using the KMS provided by Google to ...
- 59
1
vote
2
answers
673
views
Generate CSR using the private key store on Google HSM
I want to generate CSR using the keys which are stored on Google KMS. I have generate the keys but not sure how to generate CSR.
I have found samples on GO and Python but I have no idea about these ...
3
votes
1
answer
177
views
Verify Signature is not working when using Asymmetric key generated by GCP
In my Spring boot app, I have a Filter that generates a signature for each response. I have created an Asymmetric Key in GCP(generated by GCP itself)
The key algorithm is 2048 bit RSA key PSS Padding -...
- 33
1
vote
0
answers
167
views
xml signing with google-cloud-kms in java/kotlin
I don't understand how I would use the built in xml signing library in java with google kms. I have my pub/private key in google kms.
I do the following without google kms:
val keyPair = getKeyPair() /...
- 171
0
votes
1
answer
138
views
Does BigQuery Re-Encrypt Data at Rest When Updating the kms_key with ALTER TABLE?
I've been unable to find a clear explanation in the BigQuery documentation regarding the behavior of data at rest when the kms_key is updated using the ALTER TABLE statement.
Cloud KMS is set up and a ...
0
votes
1
answer
596
views
what happens to my Cloud SQL instance when the KMS key rotates?
My Cloud SQL is encrypted by a CMEK (via Cloud KMS) that rotates every year. Provided that my SQL instance stays up and running for over a year, what will happen to my database instance when the key ...
- 17
0
votes
1
answer
120
views
Cannot load such file - Ruby gkms plugin
I'm trying to use gmks plugin for encrypting files for one of my projects. But whatever I do, I end up with this error:
/Library/Ruby/Site/2.6.0/rubygems/core_ext/kernel_require.rb:85:in `require': ...
- 11