Add print fingerprint via -F feature

aperezdc / signify

OpenBSD tool to sign and verify signatures on files. Portable version.

ISC License

272 stars 16 forks source link

Add print fingerprint via -F feature #29

Closed aparcar closed 11 months ago

aparcar commented 4 years ago

To know the fingerprint used for a sec/pub/sig the option -F is added which works in combination with -s, -p or -x. It will load the file and and print the used fingerprint in hex.

This feature was ported over from OpenWrt's usign0, which is a slimmed simpler implementation of signify.

Signed-off-by: Paul Spooren mail@aparcar.org

aparcar commented 4 years ago

OpenWrt package manager and sysupgrade functionality relies on usign which is a slimmed version of signify. There are currently some efforts to use signify instead.

The OpenWrt build system currently requires a fingerprint feature which was added to usign, however is lacking for signify.

aparcar commented 3 years ago

Any chance to get a comment on this?

marcusmueller commented 3 years ago

Any chance to get a comment on this?

You should! To make this a bit easier for me, this is a change that diverges from upstream OpenBSD, right? Is upstream aware, what do they think?

aparcar commented 3 years ago

Well I tried to make upstream aware of this by sending it to the "official" looking github mirror.

aperezdc commented 3 years ago

@aparcar In this case “upstream” would be the OpenBSD project. The goal of this project here in GitHub is to take OpenBSD's code and make it buildable on GNU/Linux and possibly other systems. The best way to get the feature added would be submitting a diff to the tech@openbsd.org mailing list (more here) explaining how the feature is useful.

Now, regarding the patch itself, the added code looks good to me and it is small, so if the OpenBSD folks think the feature is interesting I suppose that it may not be difficult to get it added :smiley:

What do you think about trying to submit it to OpenBSD? If the patch does not get accepted by them, then I can reconsider maintaining the patch here myself, but I would rather do that as the second option.

stokito commented 11 months ago

Are the fingerprints are important? The pub keys are so small that we may use them directly. The fingerprint in usign is 8 bytes e.g. 16 hex. The whole ed25519 pub key is 32 bytes e.g. 64 hex or 44 in b64. The typical RSA fingerprint is 34 hex.

aparcar commented 11 months ago

I guess we stick with usign for now until we either switch to something based on a SSL library which now ship with OpenWrt anyway or find something with PQC features. Closing this.

stokito commented 10 months ago

@aparcar we can use the PKCS#7 detached signatures and .p7s files (same as in S/MIME). The ed25519 is supported there.

It still not so widely supported, but this is a standard. We can use OpenSSL to sign and verify with openssl cms. Still the openssl-tools is complicated may be a too big dependency for routers so maybe a custom tool can be used instead. On a desktop users can sign/verify with Kleopatra.

Other alternatives are:

GnuPG gpgv - a short version of GPG with only sig veryfying.
OpenSSH sign/verify but it's really badly designed and not used by anyone.