Closed alexgg closed 6 months ago
export SIGN_API="https://<uuid>.balena-devices.com/"
export SIGN_API_KEY=<API KEY>
curl "${SIGN_API}/bootstrap" -X POST -H "X-API-Key: ${SIGN_API_KEY}" -H "Content-type: application/json" -d '{
"gpg": {"name_real": "balenaOS GRUB GPG key", "name_email": "security@balena.io"},
"rsa": {},
"certificates": {
"pk": {"cert_id": "balenaos-pk", "subject": "/CN=balenaOS PK/"},
"kek": {"cert_id": "balenaos-kek", "subject": "/CN=balenaOS KEK/"},
"db": {"cert_id": "balenaos-db", "subject": "/CN=balenaOS db/"},
"kmod": {"cert_id": "balenaos-kmod", "subject": "/CN=key for signing 3rd party balenaOS kernel modules/", "key_length": 4096}
}
}'
curl --fail "${SIGN_API}/rsa/keys"
export SIGN_RSA_KEY_ID=<key fingerprint from above>
curl --fail "${SIGN_API}/rsa/key/${SIGN_RSA_KEY_ID}"
export REQUEST_FILE=$(mktemp)
export SIGNING_ARTIFACT=balenasign.svg
echo "{\"key_id\": \"${SIGN_RSA_KEY_ID}\", \"payload\": \"$(base64 -w 0 ${SIGNING_ARTIFACT})\"}" > "${REQUEST_FILE}"
curl --fail "${SIGN_API}/rsa/sign" -X POST -H "Content-Type: application/json" -H "X-API-Key: ${SIGN_API_KEY}" -d "@${REQUEST_FILE}"
export REQUEST_FILE="/tmp/request"
echo '{
"key": "<omitted>",
"data": "<omitted>",
"salt": "<omitted>"
}' > "${REQUEST_FILE}"
curl "${SIGN_API}/import" -X POST -H "Content-Type: application/json" -H "X-API-Key: ${SIGN_API_KEY}" -d "@${REQUEST_FILE}"
export REQUEST_FILE="/tmp/request"
echo '{
"key": "<omitted>"
}' > "${REQUEST_FILE}"
curl "${SIGN_API}/export" -X POST -H "Content-Type: application/json" -H "X-API-Key: ${SIGN_API_KEY}" -d "@${REQUEST_FILE}"
lgtm
Manual testing
Bootstrapping
Listing keys
Signing