depatchedmode
commented
9 months ago How does someone address this w/o nix?
Open depatchedmode opened 9 months ago
depatchedmode
commented
9 months ago How does someone address this w/o nix?
zeeshanlakhani
commented
9 months ago @depatchedmode so it's not about Nix. Homebrew's OpenSSL install works as well. The issue is that the default OSX OpenSSL is LibreSSL, so not OpenSSL, the latter of which is more predominant outside of OSD default installs. We could try to add some special handling of OSX in Homestar and see which variant of OpenSSL is installed, but that would involve some special-casing code, and we don't control or know how/where people generated their keys. So, that's always the difficulty too, as it may not be from the OpenSSL installed in your path.
Otherwise, with LibreSSL, this is a known issue.
TBH, All of this becomes not needed when our key init functionality within Homestar comes into place, which is being worked on right now by @QuinnWilton.
depatchedmode
commented
9 months ago @zeeshanlakhani So, it sounds like we just want to make sure people have OpenSSL on their machine, and then provide generic instructions to get that setup. Given that it will be obsolesced by WIP, for now I'll just at that tip to the docs "Please make sure you have OpenSSL installed. By default MacOS ships with LibreSSL, which will cause errors."
zeeshanlakhani
commented
9 months ago @depatchedmode is probably worth linking options to install via Homebrew, etc.
bmann
commented
9 months ago Yeah, I think this gets replaced with doing this with CLI and/or Homestar. So if we want to turn this into a feature, it's something like "Generate a local key with Homestar", and from discord chat, I guess @QuinnWilton is working on this feature. Yay!
botovq
commented
9 months ago
openssl ecparam -genkey -name secp256k1 -outform DER -out secp256k1_key.der
You could add -noout. Then the instructions should work with both LibreSSL and OpenSSL:
openssl ecparam -genkey -name secp256k1 -outform DER -out secp256k1_key.der -noout
botovq
commented
9 months ago LibreSSL documents the flag as -noout Do not output the encoded version of the parameters.
The issue is that the output is the concatenation of the EC Parameters (only an object identifier since secp256k1 is a built-in curve) and the key. This is a long-standing bug for which OpenSSL added a workaround that introduces inconsistency between PEM and DER output.
Giving -noout short-circuits this code:
I inspected the keys output with -noout using LibreSSL 3.8.2, OpenSSL 3.2.1, OpenSSL 3.1.5, and OpenSSL 1.1.1w and they all look sensible. This doesn't cover LibreSSL 3.3.6 in question, but ecparam didn't change all that much over the years.
zeeshanlakhani
commented
9 months ago LibreSSL documents the flag as
-noout Do not output the encoded version of the parameters.The issue is that the output is the concatenation of the EC Parameters (only an object identifier since secp256k1 is a built-in curve) and the key. This is a long-standing bug for which OpenSSL added a workaround that introduces inconsistency between PEM and DER output.
Giving -noout short-circuits this code:
I inspected the keys output with
-nooutusing LibreSSL 3.8.2, OpenSSL 3.2.1, OpenSSL 3.1.5, and OpenSSL 1.1.1w and they all look sensible. This doesn't cover LibreSSL 3.3.6 in question, but ecparam didn't change all that much over the years.
yeah, I remember coming across this bug/issue, though I couldn't find it again (with the workarounds).
zeeshanlakhani
commented
9 months ago Yeah, I used the homebrewed openssl, but we can test this cc @depatchedmode @expede.
From Brook's clean install experience: