cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Import key-pair to GCP KMS

Open jp-gouin opened this issue 3 years ago • 3 comments

Hello,

I have generated a key-pair using ./cosign-darwin-amd64 generate-key-pair i used it to sign several container images. And now i want to import the key-pair into GCPKMS to store it securely.

Since i already used it to sign images i do not want to regenerate a key-pair with --kms gcpkms://... option.

When i tried to upload the signature in GCP using gcloud i got the following error :

gcloud kms keys versions import \
  --import-job test \
  --location global \
  --keyring g3s \
  --key test \
  --algorithm ec-sign-p256-sha256 \
  --target-key-file cosign.key
ERROR: (gcloud.kms.keys.versions.import) INVALID_ARGUMENT: Wrapped ECDSA key has invalid length of 664.

Is there a way to import an already generated key inside KMS ?

Thanks

jp-gouin avatar Feb 15 '22 10:02 jp-gouin

Hey!

I'm not sure there is a way to do that today - the cosign generated keys are stored encrypted in a format that GCP won't natively know how to decrypt (a nacl/secretbox). It would probably be pretty straightforward to put together a small go program to do the decryption, but I'm not sure it would make sense to add to cosign directly.

If you're interested in the go program approach I can provide a quick sample to get you started!

dlorenc avatar Feb 23 '22 13:02 dlorenc

Hi @dlorenc thanks for your answers ! yes please , i would like to try the go approach This could be part of a toolbox project near cosign

jp-gouin avatar Mar 02 '22 15:03 jp-gouin

@dlorenc I would really appreciate if you could share the Go program. I tried to incorporate the code from LoadPrivateKey, for some reason it fails inside secretbox.Open.

cc @jp-gouin

huberts90 avatar Sep 27 '23 12:09 huberts90