You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current "ed25519" signing type assumes raw Ed25519 key format for
both public and private keys. That requires custom processing of keys
after generated with openssl tools, and also lacks cryptographic
agility[1]; when Ed25519 becomes vulnerable, it would not be
straightforward to migrate to other algorithms, such as post-quantum
signature algorithms.
This patch adds a new signature type "x509" to use the key formats
natively supported by OpenSSL (PKCS#8 and SubjectPublicKeyInfo) and
capable of embedding algorithm identifier in an X.509 format.
The "x509" signature type prefers keys to be encoded in the PEM
format on disk, while it still accepts base64 encoded keys when given
through the command-line.
1. https://en.wikipedia.org/wiki/Cryptographic_agility
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Copy file name to clipboardExpand all lines: man/ostree-sign.xml
+15-13Lines changed: 15 additions & 13 deletions
Original file line number
Diff line number
Diff line change
@@ -64,26 +64,28 @@ License along with this library. If not, see <https://www.gnu.org/licenses/>.
64
64
</para>
65
65
66
66
<para>
67
-
There are several "well-known" system places for `ed25519` trusted and revoked public keys -- expected single <literal>base64</literal>-encoded key per line.
67
+
For `ed25519` and `x509`, there are several "well-known" system places for trusted and revoked public keys as listed below.
<para>The format of those files depends on the signature mechanism; for `ed25519`, keys are stored in the <literal>base64</literal> encoding per line, while for `x509` they are stored in the PEM "PUBLIC KEY" encoding.</para>
87
89
</refsect1>
88
90
89
91
<refsect1>
@@ -95,7 +97,7 @@ License along with this library. If not, see <https://www.gnu.org/licenses/>.
95
97
<listitem><para>
96
98
<variablelist>
97
99
<varlistentry>
98
-
<term><option>for ed25519:</option></term>
100
+
<term><option>for ed25519 and x509:</option></term>
99
101
<listitem><para>
100
102
<literal>base64</literal>-encoded secret (for signing) or public key (for verifying).
101
103
</para></listitem>
@@ -120,7 +122,7 @@ License along with this library. If not, see <https://www.gnu.org/licenses/>.
120
122
<term><option>-s, --sign-type</option></term>
121
123
<listitem><para>
122
124
Use particular signature mechanism. Currently
123
-
available <argchoice="plain">ed25519</arg> and <argchoice="plain">dummy</arg>
125
+
available <argchoice="plain">ed25519</arg>, <argchoice="plain">x509</arg>, and <argchoice="plain">dummy</arg>
124
126
signature types.
125
127
126
128
The default is <argchoice="plain">ed25519</arg>.
@@ -133,8 +135,8 @@ License along with this library. If not, see <https://www.gnu.org/licenses/>.
133
135
</para></listitem>
134
136
135
137
<listitem><para>
136
-
Valid for <literal>ed25519</literal> signature type.
137
-
For <literal>ed25519</literal> this file must contain <literal>base64</literal>-encoded
138
+
Valid for <literal>ed25519</literal> and <literal>x509</literal> signature types.
139
+
This file must contain <literal>base64</literal>-encoded
138
140
secret key(s) (for signing) or public key(s) (for verifying) per line.
0 commit comments