invopop / gobl.cli

The GOBL Command Line Interface
Apache License 2.0
3 stars 0 forks source link

CLI: Signing keys #3

Closed samlown closed 2 years ago

samlown commented 2 years ago

This was going to be put inside an RFC, but the reality is that it's pretty short.

The CLI needs to be able to support signing envelopes, otherwise it's not very useful as all gobl documents require at least one signature to be valid. The main complication around this is where and how to store the JSON Web Keys.

There are two main options we've come up with so far:

The SSH-like option is perhaps the most interesting as it opens up a set of possible commands on the interface:

GOBL already contains everything required to generate signatures inside the dsig package, so this is just a question of creating an interface.

We're expecting users to be able to upload their public keys to Invopop for storage, they should be easy to get to either by looking at the ~/.gobl/id_es256.pub.jwk file, or by generating it from the private key via the command line.

Key files are always in JSON format. Is it useful to add a .jwk or .json extension to each?

flimzy commented 2 years ago

A few random questions here:

samlown commented 2 years ago

By points:

flimzy commented 2 years ago

Google SDK uses the .json extension. I don't think those keys are actually JWKs, though. So maybe .jwk and .pub.jwk would make sense for us to disambiguate from SSH and Google?

samlown commented 2 years ago

Google SDK uses the .json extension. I don't think those keys are actually JWKs, though. So maybe .jwk and .pub.jwk would make sense for us to disambiguate from SSH and Google?

True... .jwk does seem like a kind of norm: https://whatext.com/jwk Let's do that then. I like the simplicity without, but .jwk does add meaning.

flimzy commented 2 years ago

I think this issue has now been implemented. Are there any details I've overlooked that still need attention, @samlown ?