search

theupdateframework / go-tuf

Go implementation of The Update Framework (TUF)
https://theupdateframework.com
Apache License 2.0
625 stars 105 forks source link

Support Adding External Keys #528

Closed ChevronTango closed 1 year ago

ChevronTango commented 1 year ago

The CLI currently has a gen-key method and a revoke-key method, but not an add-key method. This makes it hard for users with external keys, for example KMS or otherwised managed key services, to add their keys to the root.json. Whilst it can be done with json manipulation, it would be much nicer if the tuf cli supported it natively to avoid mistakes or misconfiguration.

I propose the following

tuff add-key <role>
--keytype # eg. "rsa"
--public-value # The value of the public key
--scheme #eg "rsassa-pss-sha256"

# Returns the key-id

This will then add the key to the root,json in both the keys, and the roles fields with the correct hashed key id, and will return a key id which can then be used in subsequent signing requests.

ChevronTango commented 1 year ago

This was partly in response to https://github.com/theupdateframework/go-tuf/issues/525#issuecomment-1655807670 where adding a KMS key required the use of tuftool rather than being able to be done entirely with go-tuf