PGP Verify


You can use the PGP Verify filter to verify Pretty Good Privacy (PGP) signed messages passing through the API Gateway pipeline. PGP signed messages received at the API Gateway can be verified by validating the signature using the public PGP key of the message signer. The PGP Verify filter supports the following signing methods:

Compressed Verifies a compressed signature. Because the message is contained in the signature, this signature is used in place of the message.
Clear Signed A clear signed message has the message intact and a signature attached under the clear message text. Verifying this message verifies the sender and the message integrity.
Detached Signature (MIME) Verifies a multipart MIME document where the message is in clear text and the signature is attached as a MIME part.

An example use case for this filter would be when files are sent to the API Gateway over Secure Shell File Transfer Protocol (SFTP) in PGP signed format. The API Gateway can use the PGP Verify filter to verify the message, and then use Threat Detection filters to perform virus scanning. The clean files can be PGP signed again using the PGP Sign filter before being sent over SFTP to their target destination. For more details, see the PGP Sign filter.


Complete the following fields to configure this filter:


Enter an appropriate name for the filter.

PGP Public Key to be retrieved from one of the following locations:

Select how the sender's public PGP key is retrieved to verify the message:

Use the following public key from the PGP Key Pair list Click the browse button on the right, and select a PGP key pair configured in the Certificate Store. For details on configuring PGP key pairs, see the topic on Certificates and Keys.
Look up the public key using the following alias Enter the alias name of the PGP public key used in the Certificate Store (for example, My PGP Test Key). Alternatively, you can enter a selector expression that specifies the name of a message attribute that contains the alias. The value of the selector is expanded at runtime (for example, ${my.pgp.test.key.alias}).
The following message attribute will contain the public key Enter a selector expression that specifies the name of the message attribute that contains the public key. The value of the selector is expanded at runtime (for example, ${my.pgp.test.public.key}).

For more details on selectors, see Selecting Configuration Values at Runtime.

Signing Method:

Select the signing method that was used to create the digital signature for the message attachment:

  • Compressed

  • Clear Signed

  • Detached Signature (MIME)

For details on creating PGP digital signatures, see the topic on the PGP Sign filter.

Content type:

Enter the Content-Type of the verified message data. Defaults to application/octet-stream.