search

kryptco / kr

DEPRECATED A dev tool for SSH auth + Git commit/tag signing using a key stored in Krypton.
https://krypt.co/developers/
Other
1.59k stars 109 forks source link

Allow general PGP Signing (not just git) #242

Open mjungsbluth opened 5 years ago

mjungsbluth commented 5 years ago

It would be great to allow general PGP signatures.

Use Case: Google just released Binary Authorization for Kubernetes Clusters which is built on top of Grafeas and Kritis which essentially requires to to PGP sign docker image digests with a set of authorized keys. This limits an adversary’s possibibilty to deploy tampered workloads in your cluster.

I anderstand that a digest is not very informative on your phone but it is possible to check since it is visible in the docker registry.

Any chance to get this in (or rather relax the requirement on krgpg’s input text)

heri16 commented 5 years ago

kr pgp-sign was never merged or abandoned: #159 #160

heri16 commented 5 years ago

Had a quick look at PR #160 and I think there should not be a problem adding a BlobSignRequest into krgpg.go of the master branch. All the parts are there. Would most likely need this myself for #248 .

@danielshaar should i work on this?

agrinman commented 5 years ago

@heri16 This never made it into Krypton core as it never had much utility (pgp is not frequently used outside of signing git commits to our knowledge). It actually originated as a side project for a few of the team members. That said, it was never finished and never merged. Since the iOS branch and kr branch are pretty far diverged from when that PR was created, it would take a bit more work to merge now. If you'd like to submit a PR for kr we'd need a PR for iOS and/or Android as well to make it feature complete. You can take a look at https://github.com/kryptco/krypton-ios/pull/95/commits/8f4df45b88e38b52772922db3c5e96f3dc3713c1 as a starting point for iOS (Android was never started). The iOS branch has most of the logic / UX for doing PGP blob signing, it just needs to be refactored for some of the new architecture/design of Krypton.

heri16 commented 5 years ago

I am able to help with iOS and Android, but I'm just concerned with the time commitment, and my current lack of a working iOS dev environment. How did you guys manage to prove your PGP keys on Keybase.io ?

agrinman commented 5 years ago

We did this while testing the pgp blob signing feature. krgpg implemented some of the gpg argument spec so that we could point keybase to use krgpg instead of gpg, which knew how to talk to Krypton on your phone.

heri16 commented 5 years ago

I am able to help with iOS and Android, but I'm just concerned with the time commitment, and my current lack of a working iOS dev environment. How did you guys manage to prove your PGP keys on Keybase.io ?

janisz commented 5 years ago

Any update on this?

eliliam commented 3 years ago

Bump on this