Re: Ostree sign capability

From: Dan Nicholson <dbn endlessos org>
To: MR ZenWiz <mrzenwiz gmail com>
Cc: ostree-list <ostree-list gnome org>
Subject: Re: Ostree sign capability
Date: Fri, 16 Jul 2021 15:22:44 -0600

On Fri, Jul 16, 2021 at 11:40 AM MR ZenWiz via ostree-list
<ostree-list gnome org> wrote:


Or would I need to write a special program that emulates what
ostree-sign does except for using the external server API to do the
actual signing?  Assuming that is also possible.


I think this is how you'd have to do it (assuming you mean the ed25519
signer). The signer is internal to ostree and needs to be seeded with
the secret key. There's nothing in there (as far as I can see) to
offload signing to another host. It would be possible to send the
commit object over to a different server, use the ostree_sign_data[1]
API, return the signature bytes and then put them in the commit's
detached metadata in the appropriate format. Internally it uses
libsodium's crypto_sign_detached[2] if you want to cut out the middle
man. It's not straightforward, but it's doable.

1. https://ostreedev.github.io/ostree/reference/ostree-Signature-management.html#ostree-sign-data
2. https://libsodium.gitbook.io/doc/public-key_cryptography/public-key_signatures#detached-mode

References:
- Ostree sign capability
  - From: MR ZenWiz

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]