sget-rs icon indicating copy to clipboard operation
sget-rs copied to clipboard

Published 20 hours ago verified publisher icon sigstore

ssh key usage

Open lukehinds opened this issue 3 years ago • 2 comments

Looking at franks wasmsign2 code base, its possible to sign and verify using ssh keys ed25519

https://github.com/wasm-signatures/wasmsign2#openssh-keys-support

With this approach a developer can use their existing ssh keys and we can easily look to retrieve keys from https://github.com/$USER.keys https://gitlab.com/USER.keys

This would then play out as

sget sign --key ~/.ssh/id_ed25519

The verify operation we can scope out better once the dust settles on policy structure.

lukehinds avatar Jan 17 '22 15:01 lukehinds

cc @lkatalin

lukehinds avatar Jan 17 '22 15:01 lukehinds

Just a warning that if we do this, we should be clear which signature specification we're using. It looks like the wasm-sign code uses SSH keys, but generates standard ed25519 signatures. SSH itself generates similar signatures, but they're not directly compatible: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.sshsig

dlorenc avatar Jan 17 '22 16:01 dlorenc