So it looks like GPG/PGP is basically hated within golang etc:

golang/go#29082 (comment) however
it looks like https://jedisct1.github.io/minisign/ and http
s://github.com/jedisct1/go-minisign work

configuration.ini

@@ -9,4 +9,4 @@ LogFilePath=output.log
 LogLevel=INFO
 LoadPprof=false
 SignedScriptsOnly=true
-PublicKeyRingFile=keyfile.gpg
+PublicKeyFile=keyfile.pub

go.mod

@@ -4,6 +4,7 @@ go 1.16
 
 require (
 	github.com/gorilla/mux v1.8.0
+	github.com/jedisct1/go-minisign v0.0.0-20210106175330-e54e81d562c7 // indirect
 	github.com/kardianos/service v1.2.0
 	github.com/op/go-logging v0.0.0-20160315200505-970db520ece7
 	github.com/vaughan0/go-ini v0.0.0-20130923145212-a98ad7ee00ec

go.sum

@@ -1,18 +1,27 @@
 github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
 github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/jedisct1/go-minisign v0.0.0-20210106175330-e54e81d562c7 h1:qrPDNqqT76vs8oWL6Z1/D6hKvbXULvlD7FdNVTIUI8A=
+github.com/jedisct1/go-minisign v0.0.0-20210106175330-e54e81d562c7/go.mod h1:oPTyITpvr7hPx/9w76gWrgbZwbb+7gZ9/On8hFc+LNE=
 github.com/kardianos/service v1.2.0 h1:bGuZ/epo3vrt8IPC7mnKQolqFeYJb7Cs8Rk4PSOBB/g=
 github.com/kardianos/service v1.2.0/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 h1:lDH9UUVJtmYCjyT0CI4q8xvlXPxeZ0gYCVvWbmPlp88=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/vaughan0/go-ini v0.0.0-20130923145212-a98ad7ee00ec h1:DGmKwyZwEB8dI7tbLt/I/gQuP559o/0FrAkHKlQM/Ks=
 github.com/vaughan0/go-ini v0.0.0-20130923145212-a98ad7ee00ec/go.mod h1:owBmyHYMLkxyrugmfwE/DLJyW8Ro9mkphwuVErQ0iUw=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 h1:It14KIkyBFYkHkwZ7k45minvA9aorojkyjGk9KJ5B/w=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201015000850-e3ed0017c211 h1:9UQO31fZ+0aKQOFldThf7BKPMJTiBfWycGh/u3UoO88=
 golang.org/x/sys v0.0.0-20201015000850-e3ed0017c211/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68 h1:nxC68pudNYkKU6jWhgrqdreuFiOQWj1Fs7T3VrH4Pjw=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

internal/configuration/configuration.go

@@ -1,13 +1,11 @@
 package configuration
 
 import (
-	"os"
 	"path/filepath"
 	"strconv"
 	"time"
 
-	"golang.org/x/crypto/openpgp"
-
+	"github.com/jedisct1/go-minisign"
 	ini "github.com/vaughan0/go-ini"
 )
 
@@ -24,7 +22,7 @@ type SettingsValues struct {
 	RequestTimeout         time.Duration
 	LoadPprof              bool
 	SignedScriptsOnly      bool
-	PublicKeyRing          openpgp.EntityList
+	PublicKey              minisign.PublicKey
 }
 
 // Settings is the loaded/updated settings from the configuration file
@@ -65,10 +63,14 @@ func Initialise(configurationDirectory string) {
 	Settings.LoadPprof = getIniBoolOrPanic(iniFile, "Server", "LoadPprof")
 	Settings.SignedScriptsOnly = getIniBoolOrPanic(iniFile, "Server", "SignedScriptsOnly")
 
-	keyringFileBuffer, _ := os.Open(getIniValueOrPanic(iniFile, "Server", "PublicKeyRingFile"))
-	defer keyringFileBuffer.Close()
-	entityList, _ := openpgp.ReadArmoredKeyRing(keyringFileBuffer)
-	Settings.PublicKeyRing = entityList
+	keyringFileBuffer := getIniValueOrPanic(iniFile, "Server", "PublicKeyFile")
+
+	publicKey, publicKeyError := minisign.NewPublicKeyFromFile(keyringFileBuffer)
+
+	if publicKeyError != nil {
+		panic(publicKeyError)
+	}
+	Settings.PublicKey = publicKey
 }
 
 func getIniValueOrPanic(input ini.File, group string, key string) string {

internal/web/helpers.go

@@ -11,7 +11,7 @@ import (
 	"sync"
 	"time"
 
-	"golang.org/x/crypto/openpgp"
+	"github.com/jedisct1/go-minisign"
 )
 
 // Script represents an object submitted to the runscript endpoint
@@ -125,13 +125,18 @@ func runScript(responseWriter http.ResponseWriter, scriptToRun Script) []byte {
 
 func verifySignature(stdin string, signature string) bool {
 
-	stdInReader := strings.NewReader(stdin)
-	signatureReader := strings.NewReader(signature)
+	stdinAsArray := []byte(stdin)
+	signatureStruct, signatureError := minisign.DecodeSignature(signature)
 
-	signer, error := openpgp.CheckDetachedSignature(configuration.Settings.PublicKeyRing, stdInReader, signatureReader)
-	if signer != nil && error != nil {
-		return true
+	if signatureError != nil {
+		logwrapper.Log.Debugf("Signature Decoding error: %v", signatureError)
 	}
-	logwrapper.Log.Debugf("Signature Verification Error: %v", error)
-	return false
+
+	isValid, error := configuration.Settings.PublicKey.Verify(stdinAsArray, signatureStruct)
+
+	if error != nil {
+		logwrapper.Log.Debugf("Signature Verification: %b parsedSignature: %v Error: %v", isValid, signatureStruct, error)
+	}
+
+	return isValid
 }