zorgiepoo
commented
9 months ago We don't need to store the public_key. Changes to resolve this are in https://github.com/sparkle-project/Sparkle/pull/2472
Closed zorgiepoo closed 9 months ago
zorgiepoo
commented
9 months ago We don't need to store the public_key. Changes to resolve this are in https://github.com/sparkle-project/Sparkle/pull/2472
As discussed in #2467, our private signing key using https://github.com/orlp/ed25519 is not compatible with other libraries. This is because other libraries use
seedorseed + public_keyas their private key and instead oral/ed25519 hashes theseedso it doesn't have to re-hash it on every signing operation. Presently we discard theseedbefore the hashing operation so it is impossible to sign updates using other libraries which may be beneficial on other OS systems / toolchains / etc.Proposal is that for newly generated keys, we preserve the seed. Potentially the new format could be
seed + public_keyand we would just derive the private key from theseedandpublic_keyagain. On export/import we may want to consider using a binary format instead of base64 but I'm not sure yet. Compatibility considerations may need to be made so older tools don't accidentally leak newly generated private keys.