TUF CLI: Improve experience by allowing offline signature generation #205
Comments
|
Definitely like this approach! It mirrors what you might do with offline signing of a CSR for X509, where a service generates a CSR and you take just the CSR to an offline key to sign it. This will also avoid requiring two TUF repos set up, one for online and one for offline. |
|
/assign @znewman01 |
|
If you comment here @znewman01 we can assign you the issue. |
|
commenting! |
|
@asraa I see discussion in #213 about support for key imports etc. Can you clarify for this issue: when you say signed with an "offline tool" what do you mean:
(Hopefully my question makes sense.) |
|
Sure! Admittedly I think there's some confusion between the CLI/exposed API...
Yeah, I think we need public key imports via CLI (a method already exists for this in the API -- AddVerificationKey) to make this work. In root-signing none of the private key material is held in the TUF repo. We use the AddVerificationKey method to add the keys to the repo. So in your offline repo you have your private key material, export it and deliver it to the online repo that Adds it to a role, and then you can use the payload generation/add signature flow. The purpose of the |
* feat: Add `payload` and `add-signature` commands. Fixes #205. * docs: Clarify `payload` and `add-signature` args. Specifically, they expect a metadata file name, *not* a role name. Added a test for each. * feat: Add `sign-payload` command. This completes the offline flow: ```shell tuf payload root.json > /tmp/root.json.payload tuf sign-payload --role=root /tmp/root.json.payload > /tmp/root.json.sigs tuf add-signatures --signatures /tmp/root.json.sigs root.json ``` Additional changes: - rename `add-signature` to `add-signatures` - `add-signatures` expects JSON (from `sign-payload`) rather than hex bytes * docs: Beef up documentation for offline signature flow. - move CLI commands to matching file names - add examples to README.md - more details for `repo.SignPayload` docs * docs: Point out where keys are stored in `sign-payload` docs * fix: ensure that output is canonicalized * style: rename ErrInsufficientKeys to ErrNoKeys * doc: minor `tuf sign-payload` clarifiation * test: add client test for offline flow * test: fix tests after rebase
This would help using the TUF CLI in more tightly controlled key environments, e.g. an air-gapped situation.
I propose two methods:
tuf payload <role>that outputs the canonicalized, signable content of the role's metadata filetuf add-signature <role> --signature <sig_file>that adds a signature (hex-encoded bytes), generated by an offline tool, to the role. This should verify the signature first.@haydentherapper
The text was updated successfully, but these errors were encountered: