This adds support for EdDSA pre-hashed signatures to sign-file (solokeys/solo#397), possibly including a trusted comment according to Minisign.
New sign-file flags:
--minisign Use Minisign-compatible signatures (pre-hashed)
--sig-file TEXT Destination file for signature
(<filename>.(mini)sig if empty)
--trusted-comment TEXT Trusted comment included in global signature
(combine with --minisign) [default: <time and file
name, prehashed>]
--untrusted-comment TEXT Untrusted comment not included in global signature
(combine with --minisign and --sig-file)
[default: signature created on solokey]
--key-id TEXT Key ID to write to signature file (8 bytes as HEX)
(combine with --minisign and --sig-file) [default:
<hash of credential ID>]
If the --minisign flag is passed, the signature will using pre-hashing with Blake2b-512 instead of SHA-256 and the signature file will be a Minisign-compatible signature. The flag can only be used with EdDSA credentials.
To be able to choose the credential type, I added the following flag to make-credential:
--alg TEXT Algorithm(s) for key, separated by ',', in order
of preference [default: EdDSA,ES256]
To view supported algorithms, use the new solo key list-algorithms command.
make-credential now also supports saving Minisign keys for EdDSA credentials, and it prints the public key:
--no-pubkey Do not display public key
--minisign Display public key in Minisign-compatible format
--key-file TEXT File to store public key (use with --minisign)
--key-id TEXT Key ID to write to key file (8 bytes as HEX) (use
with --key-file) [default: <hash of credential ID>]
--untrusted-comment TEXT Untrusted comment to write to public key file (use
with --key-file) [default: <key ID>]
Breaking change: the credential_id parameter is now assumed to be a HEX credential, to make it consistent with make-credential.
More info, mostly about an earlier version using a FIDO2 extension instead of a custom CTAP command, can be found in solokeys/solo#575.
This adds support for EdDSA pre-hashed signatures to
sign-file
(solokeys/solo#397), possibly including a trusted comment according to Minisign.New
sign-file
flags:If the
--minisign
flag is passed, the signature will using pre-hashing with Blake2b-512 instead of SHA-256 and the signature file will be a Minisign-compatible signature. The flag can only be used with EdDSA credentials.To be able to choose the credential type, I added the following flag to
make-credential
:To view supported algorithms, use the new
solo key list-algorithms
command.make-credential
now also supports saving Minisign keys for EdDSA credentials, and it prints the public key:Breaking change: the
credential_id
parameter is now assumed to be a HEX credential, to make it consistent withmake-credential
.More info, mostly about an earlier version using a FIDO2 extension instead of a custom CTAP command, can be found in solokeys/solo#575.
See solokeys/solo#583 for the authenticator PR.