Integrating Blockchain based code signing into your application using Golang

Code Signing - Codenotary - Code Notary


Knowing if your digital assets are safe to use will help you avoid complications from compromised or erroneous code running within your development, test, and production environments. This blog will walk you through the process of integrating blockchain-based code signing into your application using Golang.

For more on verifying with Golang, see our previous blog here.

Signing Assets

In order to have your application verify the assets you want to use, those assets will need to be signed and have their signatures stored on the blockchain. This way they can they can be referenced globally regardless of hosting service or storage location. However, before you can start signing assets, there are a few things you need to have in place.


First, you will need to create your Codenotary account, which you can do here and see a video on how to do here. Once you have an account set up, you will have the ability to start signing assets with the Codenotary vcn CLI tool. The next step is then to prepare your vcn configuration, which you can do simply by running vcn login. The first time the command is executed, a $HOME/.vcn folder will be created with the configuration and generate a user key for you. For more details, check out our GitHub user guide on configuration here. Also, you’ll want to be sure that the $HOME~/.vcn folder is accessible by the program you are coding.

Using Asset Signing in Your Go Code

We created vcn to be able to be utilized directly from within an individual application’s code structure. Extracting and placing a global verification checker like vcn directly into your project gives you the ability to configure it to run whenever you need or want it to do so.

To include asset signing in your code, use the snippet below:

package main

import (

func init() {
// Set ~/.vcn directory
if err := store.SetDefaultDir(); err != nil {

// Load the configuration
if err := store.LoadConfig(); err != nil {

// currentUser returns the current authenticated vcn user, if any,
otherwise an error is returned
func currentUser() (*api.User, error) {
email := store.Config().CurrentContext
if email == "" {
return nil, fmt.Errorf("no user has been set for current context")
   u := api.NewUser(email)
return u, nil

func main() {
passphrase := ""

// Get the current user
user, err := currentUser()
if err != nil {

  // Create a fake asset
asset := api.Artifact{
Name: "",
Hash: "",
Size: 11, // a size > 0 is required
  verification, err := user.Sign(
user.DefaultKey(), // get and use the default key, optionally another key can be used
meta.StatusTrusted,     // other status (meta.StatusUntrusted, meta.StatusUnsupported) can be used too
meta.VisibilityPrivate, // or meta.VisibilityPublic
if err != nil {

  fmt.Println("Asset has been successfully signed with Status: ", meta.StatusName(verification.Status))

How It Works

The package gives you access to all the low-level functions.

The pulls in the vcn API and allows you to write directly to the blockchain.

The store.SetDefaultDir then sets your default directory for where you will store your asset signatures locally. Then the store.LoadConfig will set up the configuration locally and enable you to write to the blockchain.

Next, you will need to create the function currentUser to validate the current vcn user exists in the system. If the information entered is correct, then the user is allowed to proceed, otherwise, an error is returned.

After setting up a path to check your user information is stored within the system, you need to create a function for allowing you to enter your passphrase, which will enable you to sign assets and have their hashes written to the blockchain. The vcn application will then match the previously entered currentUser to the entered passphrase. If successful, the system will allow you to proceed. If not, an error will be returned.

The next step is to choose an asset you want to load for signing later. (You can also create a fake asset if you are just testing out the functionality.) But first, you need to set up output fields for correctly storing the name, hash, and size of a newly signed asset for the api.Artifact function to slot created data into.

You can read more about all the fields in our Go doc at

Once your fields have been set up to store your signing artifacts, you need to get the key the system generated for you the first time you signed in using vcn login and which is stored, by default, in the ~/.vcn folder. (Optionally, you can choose to use another key for signing if you wish, though you will have to designate it specifically.) After you have told the system which key to use in the signing process, you need to specify the passphrase that will allow your key to be used to sign an asset.

If everything is successful, the system will append the designated meta.Status and meta.Visibility to your signature. The output you should see is the printed line as seen in the example below:

Asset has been successfully signed with Status: TRUSTED


Inserting the ability for your application to sign the digital assets you create or use allows you to benefit from the immutability of the blockchain and rest assured your code, components, applications, and more are just as safe as the way you left them.

Information on our entire vcn project can be found in our GitHub repository, which you can check out by following the link below.

Take Me to GitHub Repo


Learn More at


Save energy without reducing VM performance in your VMware vSphere cluster
16 August 2022
Over the last couple of decades energy consumption went up massively in every data center and while the…
Metrics & Logs support for IoT - Bringing Secure Monitoring and Logging to the Edge
7 July 2022
Simple uptime monitoring for Internet-of-Things (IoT) is well-known and requires knowing if the devices are up and running.…
Monitoring Azure SQL Managed Instance with Opvizor Metrics & Logs
17 January 2022
When you have critical applications and business processes that rely on Azure resources, it's critical to keep an…

White Paper — Registration

You will receive the research paper by mail.

Codenotary — Webinar

White Paper — Registration

Please let us know where we can send the whitepaper on Codenotary Trusted Software Supply Chain. 

Become a partner

Start Your Trial

Please enter contact information to receive an email with the virtual appliance download instructions.

Start Free Trial

Please enter contact information to receive an email with the free trial details.

Subscribe to our newsletter