How to Create and Validate Digital Signatures using Google Cloud Key Management Service?

Create Digital Signature using Google Cloud KMS

What are Digital Signatures?

Digital signatures, a cryptographic operation, are applied to identify and verify the validity and reliability of digital documents, communications, and transactions.

They function electronically as their handwritten signature or the impressions of a seal on paper documents, providing authentication of the signer’s identity and some guarantees that the document will not be tampered with.

From basic to very complex, digital signatures depend on mathematical algorithms that generate a digitized unique “hash” that is the fingerprint of the signed data.

These crusts are formed using a cryptographic hashing function, and they are then encrypted using the signer’s private key only. The document or message cryptography hash gets generated as a result, which is usually termed as digitally signed.

Step-by-Step Guide to Creating Digital Signatures with Google Cloud KMS

Set up Google Cloud KMS:

For those who don’t possess a Google Cloud account, go ahead and make one. Visit the Google Cloud Console and go to the Key Management Service (KMS) tab. If the KMS isn’t enabled yet for your project, enable it.

Create a Key Ring:

In the KMS section in the Cloud Console, Create a Key Ring. Keys grouped together are a key ring. Choose a name for your key ring and put it in the place where you want.

Generate a Key:

In your ring key, generate a new asymmetric signing key. Asymmetric keys are used to support digital signatures. Here, while defining the key, you will have to specify the purpose of the “asymmetric sign.  ” Then, you can select the key size and algorithm as per your needs.

Recommended: How to Configure EV Code Signing Certificate on Google Cloud HSM?

Grant Permissions:

Then, it is important to define the permission policies for the users or service accounts that will use the key to sign when creating it. Within the Admin & IAM option in the Cloud Console, grant the proper roles (e.g., `roles/cloudkms. signer`) to each account.

Install the Cloud SDK:

To do that, you run your local machine to the Google Cloud Services by installing the Google Cloud SDK. Abstract: You can download and install it from the Google Cloud SDK documentation


With the SDK installed, authenticate the Cloud SDK with your Google Cloud account using the command `gcloud auth login`. Complete the authentication procedure by clicking on the links provided.

Set Project and Region:

With the `gcloud config set project` and `gcloud config set compute/region` commands, you set up the defaults for the project and the region, respectively. This will make sure that you can work with commands that use the correct projects and regions.

Sign Data:

Sign data with gcloud kms asymmetric-sign command now. List the file path, name of the key, and version of that key to be used for signing. It will return the signature to the command.

gcloud kms asymmetric-sign \  
   --location=[LOCATION] \ 
   --keyring=[KEYRING] \
   --key=[KEY] \
   --version=[VERSION] \
--input-file=[PATH_TO_DATA_FILE] \--output-file=[PATH_TO_SIGNATURE_FILE]

Verify Signature:

Additionally, the signature can be validated by using the command `gcloud kms asymmetric-verify`. Please give your signature, authentic(original) data, key name, and key version information. This ensures the data is authentic and not manipulated in any way.

gcloud kms asymmetric-verify \
    --location=[LOCATION] \
    --keyring=[KEYRING] \
    --key=[KEY] \
    --version=[VERSION] \
  --input-file=[PATH_TO_DATA_FILE] \

Handle Errors:

It’s crucial for your application to be able to handle any error that can occur during data signing or verification processes. Failures may happen for many reasons, such as permissions, keys expiring, or erroneous information. Examine the guidelines and correct them accordingly.

These steps will help you generate and obtain digital signatures using the Google Cloud KMS.

Recommended: How to Configure Google CloudHSM to Sign Windows Executables?


Maintaining control of the digital space is of key importance for all kinds of enterprises, as it becomes pressing with the evolution of the digital ecosystem.

Through its multifaceted platform, SignMyCode aims to address the issue head-on by offering the best products for code signing so that developers can confidently distribute their code to the end-users while maintaining trust and transparency with them.

DigiCert EV Code Sign CTA
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.