opentofu/plugin/discovery/signature.go

package discovery

import (
	"bytes"
	"log"
	"strings"

	"golang.org/x/crypto/openpgp"
)

// Verify the data using the provided openpgp detached signature and the
// embedded hashicorp public key.
func verifySig(data, sig []byte, armor string) (*openpgp.Entity, error) {
	el, err := openpgp.ReadArmoredKeyRing(strings.NewReader(armor))
	if err != nil {
		log.Fatal(err)
	}

	return openpgp.CheckDetachedSignature(el, bytes.NewReader(data), bytes.NewReader(sig))
}