signify icon indicating copy to clipboard operation
signify copied to clipboard

Published 20 hours ago verified publisher icon aperezdc

Add print fingerprint via -F feature

Open aparcar opened this issue 4 years ago • 5 comments

To know the fingerprint used for a sec/pub/sig the option -F is added which works in combination with -s, -p or -x. It will load the file and and print the used fingerprint in hex.

This feature was ported over from OpenWrt's usign0, which is a slimmed simpler implementation of signify.

Signed-off-by: Paul Spooren [email protected]

aparcar avatar Apr 09 '20 23:04 aparcar

OpenWrt package manager and sysupgrade functionality relies on usign which is a slimmed version of signify. There are currently some efforts to use signify instead.

The OpenWrt build system currently requires a fingerprint feature which was added to usign, however is lacking for signify.

aparcar avatar Apr 09 '20 23:04 aparcar

Any chance to get a comment on this?

aparcar avatar Jan 15 '21 20:01 aparcar

Any chance to get a comment on this?

You should! To make this a bit easier for me, this is a change that diverges from upstream OpenBSD, right? Is upstream aware, what do they think?

marcusmueller avatar Mar 01 '21 17:03 marcusmueller

Well I tried to make upstream aware of this by sending it to the "official" looking github mirror.

aparcar avatar Mar 04 '21 23:03 aparcar

@aparcar In this case “upstream” would be the OpenBSD project. The goal of this project here in GitHub is to take OpenBSD's code and make it buildable on GNU/Linux and possibly other systems. The best way to get the feature added would be submitting a diff to the [email protected] mailing list (more here) explaining how the feature is useful.

Now, regarding the patch itself, the added code looks good to me and it is small, so if the OpenBSD folks think the feature is interesting I suppose that it may not be difficult to get it added :smiley:

What do you think about trying to submit it to OpenBSD? If the patch does not get accepted by them, then I can reconsider maintaining the patch here myself, but I would rather do that as the second option.

aperezdc avatar Mar 05 '21 22:03 aperezdc

Are the fingerprints are important? The pub keys are so small that we may use them directly. The fingerprint in usign is 8 bytes e.g. 16 hex. The whole ed25519 pub key is 32 bytes e.g. 64 hex or 44 in b64. The typical RSA fingerprint is 34 hex.

stokito avatar Oct 03 '23 23:10 stokito

I guess we stick with usign for now until we either switch to something based on a SSL library which now ship with OpenWrt anyway or find something with PQC features. Closing this.

aparcar avatar Oct 04 '23 09:10 aparcar

@aparcar we can use the PKCS#7 detached signatures and .p7s files (same as in S/MIME). The ed25519 is supported there.

It still not so widely supported, but this is a standard. We can use OpenSSL to sign and verify with openssl cms. Still the openssl-tools is complicated may be a too big dependency for routers so maybe a custom tool can be used instead. On a desktop users can sign/verify with Kleopatra.

Other alternatives are:

  • GnuPG gpgv - a short version of GPG with only sig veryfying.
  • OpenSSH sign/verify but it's really badly designed and not used by anyone.

stokito avatar Oct 24 '23 07:10 stokito