Re: Ostree sign capability



On Fri, Jul 16, 2021 at 11:40 AM MR ZenWiz via ostree-list
<ostree-list gnome org> wrote:

Or would I need to write a special program that emulates what
ostree-sign does except for using the external server API to do the
actual signing?  Assuming that is also possible.

I think this is how you'd have to do it (assuming you mean the ed25519
signer). The signer is internal to ostree and needs to be seeded with
the secret key. There's nothing in there (as far as I can see) to
offload signing to another host. It would be possible to send the
commit object over to a different server, use the ostree_sign_data[1]
API, return the signature bytes and then put them in the commit's
detached metadata in the appropriate format. Internally it uses
libsodium's crypto_sign_detached[2] if you want to cut out the middle
man. It's not straightforward, but it's doable.

1. https://ostreedev.github.io/ostree/reference/ostree-Signature-management.html#ostree-sign-data
2. https://libsodium.gitbook.io/doc/public-key_cryptography/public-key_signatures#detached-mode


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]