Sign a Card with an additional key

This guide shows how to sign a Card with an additional private key for providing your digital solution with the highest level of security.

When you care about your security, you shouldn't trust anyone. Thus, to be sure that a user's Card wasn't replaced with another one, you have to add an additional signature into a Card.

Before publishing a user's Card on Virgil Cards Service, we recommend that you sign a Card with an additional private key, for example, the private key of your Application Server.

Remember, you cannot change a Card's content after it's published.

Generate a Private Key

You can generate a private key for your server and save it in a secure key storage with the following code:

    // generate a key pair
    keypair, err := crypto.GenerateKeypair()
    if err != nil {
        //handle error
    }

    // export private and public key
    privateKeyData, err := crypto.ExportPrivateKey(keypair.PrivateKey(), "")
    if err != nil {
        //handle error
    }
    publicKeyData, err := crypto.ExportPublicKey(keypair.PublicKey())
    if err != nil {
        //handle error
    }

    // Save it securely
    privateKeyStr := base64.StdEncoding.EncodeToString(privateKeyData)

    // Embed it in client-side apps
    publicKeyStr := base64.StdEncoding.EncodeToString(publicKeyData)

Also, you can generate a private key using the Virgil CLI.

Sign a user's Card

In order to add the signature of your app server to a user's Card you need to:

transmit an existing user's Card to your server (you must do this before publishing). You can use any suitable way to transmit the Card.

If you need to export a user's Card to a string representation on a client side or import a Card from the string representation on a server side, use the following lines of code:


    params := &sdk.CardManagerParams{}

    params.SignCallback = func(model *sdk.RawSignedModel) (signedCard *sdk.RawSignedModel, err error) {
        rawCardStr, err := model.ExportAsBase64EncodedString()
        if err != nil {
            return nil, err
        }

        // Send this string to server-side, where it will be signed

        //import server's answer
        return sdk.GenerateRawSignedModelFromString(rawCardStr)
    }

sign a transmitted user's Card with a private key of your server:

    // Receive rawCardStr from a client
    rawCard, err := sdk.ImportRawSignedModel(rawCardStr)
    if err != nil {
        //handle
    }

    modelSigner := sdk.NewModelSigner(cardCrypto)

    // sign a user's card with a server's private key
    err = modelSigner.Sign(rawCard, "YOUR_BACKEND", privateKey, nil)
    if err != nil {
        //handle
    }

    // Send it back to the client
    newRawCardStr, err := rawCard.ExportAsBase64EncodedString()

    if err != nil {
        //handle
    }

Then Virgil SDK sends back a signed Card to the client side.

setup Virgil Card Verifier. By default, CardVerifier only verifies the signatures of a Card owner and Virgil Cards Service. So when you add an additional signature to users' Cards, you also have to set up CardVerifier.