Skip to content
This repository has been archived by the owner on Mar 7, 2024. It is now read-only.

feat: Decouple signing #62

Closed
udf2457 opened this issue Sep 3, 2023 · 4 comments
Closed

feat: Decouple signing #62

udf2457 opened this issue Sep 3, 2023 · 4 comments
Labels
enhancement New feature or request

Comments

@udf2457
Copy link

udf2457 commented Sep 3, 2023
edited
Loading

Is your feature request related to a problem? Please describe.

From my brief reading of the metadata code, at present your library appears to make the same mistake as theupdateframework/go-tuf in that key signing is tighly coupled to primitive and crude on-disk keyfiles.

This means that real-world secure key storage such as PKCS#11 (theupdateframework/go-tuf#427), AWS KMS (theupdateframework/go-tuf#525) and others e.g. Yubikey are not readily supported and require hacky work-around kludges to work (e.g. manually hacking json files).

Describe the solution you'd like

Of course support for signing from local keyfiles stored on disk should remain, but integration with real world applications where the private key is stored in a non-exfilterable format should be supported.

Describe alternatives you've considered

No response

Additional context

No response
@udf2457 udf2457 added the enhancement New feature or request label Sep 3, 2023
@udf2457 udf2457 changed the title Decouple signing feat: Decouple signing Sep 3, 2023
@MDr164
Copy link
Collaborator

MDr164 commented Sep 11, 2023

Sounds like a good idea, we should create a signer package that simply takes in bytes and outputs signed bytes instead of signing only files.

@rdimitrov
Copy link
Owner

@udf2457 - It is definitely something we should have in go-tuf/go-tuf-metadata 👍 I'm supportive of refactoring the existing signer mechanism to incorporate such support. Let me know if I can help you or someone else who is interested in contributing with that. Currently we are finalising the testing (@MDr164 and @ivanayov helped a lot) and eventually we'll start copying the codebase to go-tuf where they'll live in parallel for a start so it's less of a change. I can try to squeeze something else in my agenda but unfortunately I cannot promise anything, at least for next few weeks.

@jku
Copy link

jku commented Dec 11, 2023

For reference, in python-tuf we ended up with https://github.com/secure-systems-lab/securesystemslib/tree/main/securesystemslib/signer: It's certainly not perfect but manages to support yubikeys, 3 different KMSs, sigstore (experimentally), etc

The documentation is not as good as it should be but if someone starts thinking about this issue in go-tuf-metadata, feel free to ping me or @lukpueh for some consultation

@rdimitrov rdimitrov mentioned this issue Jan 31, 2024
Open
@rdimitrov
Copy link
Owner

Closing in favour of theupdateframework/go-tuf#594

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jku @udf2457 @rdimitrov @MDr164