lukehinds
commented
2 years ago cc @lkatalin
Open lukehinds opened 2 years ago
lukehinds
commented
2 years ago cc @lkatalin
dlorenc
commented
2 years ago Just a warning that if we do this, we should be clear which signature specification we're using. It looks like the wasm-sign code uses SSH keys, but generates standard ed25519 signatures. SSH itself generates similar signatures, but they're not directly compatible: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.sshsig
Looking at franks wasmsign2 code base, its possible to sign and verify using ssh keys ed25519
https://github.com/wasm-signatures/wasmsign2#openssh-keys-support
With this approach a developer can use their existing ssh keys and we can easily look to retrieve keys from https://github.com/$USER.keys https://gitlab.com/USER.keys
This would then play out as
sget sign --key ~/.ssh/id_ed25519The verify operation we can scope out better once the dust settles on policy structure.