You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: text/0000-cargo-asymmetric-tokens.md
+6-2Lines changed: 6 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -50,6 +50,7 @@ Private registries that require authentication use asymmetric cryptography as a
50
50
3. Go to the "register a key pair" page, upload your public key. and get the user ID for that key pair.
51
51
52
52
Most do not, but some registries require one more step:
53
+
53
54
4. if the registry gave you a `key-subject` then on the command line run `cargo login --registry=name --key-subject="the provided data"`
54
55
55
56
There are credential processes for using key pairs stored on hardware tokens. Check crates.io to see if there's one available for your hardware. Each one is a little different, but the general workflow is:
@@ -67,13 +68,14 @@ Some registries prioritize user experience over strictest security. They can sim
In [`config.toml`](https://doc.rust-lang.org/cargo/reference/config.html) and `credentials.toml` files there is a field called `private-key`, witch is a private key formatted in the secret [subset of `PASERK`](https://github.com/paseto-standard/paserk/blob/master/types/secret.md) and is used to sign asymmetric tokens
71
74
72
75
A keypair can be generated with `cargo login --generate-keypair` which will:
73
76
- generate a public/private keypair in the currently recommended fashion.
74
77
- save the private key in `credentials.toml`.
75
-
- print the public key and the path to the file.
76
-
(See unresolved questions section.)
78
+
- print the public key in [PASERK public](https://github.com/paseto-standard/paserk/blob/master/types/public.md) format.
77
79
78
80
It is recommended that the `private-key` be saved in `credentials.toml`. It is also supported in `config.toml`, primarily so that it can be set using the associated environment variable. Witch is the recommended way to provide it in CI contexts. This set up is what we have for the `token` field for setting a secret token.
79
81
@@ -85,6 +87,8 @@ Both fields can be set with `cargo login --registry=name --private-key="key" --p
85
87
86
88
A registry can have at most one of `private-key`, `token`, or `credential-process` set.
87
89
90
+
## The authentication process
91
+
88
92
When authenticating to a registry, Cargo will generate a PASETO in the [v3.public format](https://github.com/paseto-standard/paseto-spec/blob/master/docs/01-Protocol-Versions/Version3.md). This format uses P-384 and 384-bit ECDSA secret keys, and is compatible with keys stored in contemporary hardware tokens. The generated PASETO will have specific "claims" (key-value pairs in the PASETO's JSON payload). The claims within the PASETO will include at least:
89
93
- The current time.
90
94
- The challenge, if cargo has received a challenge from a 401/403 from this server this session. A server that issues challenges should have some stateful way of knowing which challenges have been used and which ones are still available.
0 commit comments