New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support PGP Ed25519 keys #1438
Comments
#286 is the blocker, the pgp library we're using is deprecated but another part of the code depends on it still. At a glance it looks like https://github.com/ProtonMail/go-crypto support ed25519 |
See the update on the linked issue, we should be able to start using the newer library, but we still need to rely on the deprecated one for RPM packages. Do you know if Debian packages or other packages you're working with use the openpgp v4 format? |
The relevant apt-signer OpenPGP keys I am uploading signed artifacts for are here: https://gitlab.com/debdistutils/debdistcanary/-/tree/main/openpgp I had to use It seems actually ALL of those keys are RSA v4 keys?! Uploading things signed by these keys works fine though.
|
I think we might actually support V4 signatures currently, since I believe x/go/crypto does in addition to V3 signatures. For ed25519, another thing to note is that the hashedrekord Rekor type doesn't support it currently, we need to switch to ed25519ph (but this is a moot point since our pgp library doesnt support either!). You may find more rough edges too, we appreciate the filed issues! |
Yes I think you do support V4 signature. The output above was to prove that the keys were OpenPGP v4, however what is also relevant is the signatures, and they are also all V4 for the keys that I care about. See output below. It is critical to strip all non-selfsignatures for rekor to accept these keys though, otherwise rekor will reject them if they contain a ed25519 signature from someone else. The three concerns I have with PGP-handling in rekor are:
I believe if rekor would minimize/canonicalize the public keys, the #1429 would be solved as well, since it is really just a side-effect of not performing any sanitation of the received public key.
|
I think #1170 is another example of not canonicalizing the public keys received when uploading. Generally, rather than taking the public keys or certificates and store them verbatim, I think rekor should parse them, minimize and strip anything unrelated, and export it again and then store that public keys in the ledger log. Right now, I think that if I make two uploads with the same signature, artifact and the public keys only differ by some whitespace in the ASCII-armor (or a comment), rekor will create two different entries for them. Searching for particular public keys breaks in this case. A corner-case is how to handle signatures signed by multiple public keys, but I think rekor should require that all public keys mentioned in the signature file should be uploaded. |
Hi. It seems rekor does not support OpenPGP Ed25519 keys, please add support for them. Thank you!
The text was updated successfully, but these errors were encountered: