-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Add print fingerprint via -F feature #29
Conversation
OpenWrt package manager and sysupgrade functionality relies on The OpenWrt build system currently requires a fingerprint feature which was added to |
To know the fingerprint used for a sec/pub/sig the option `-F` is added which works in combination with `-s`, `-p` or `-x`. It will load the file and and print the used fingerprint in hex. This feature was ported over from OpenWrt's usign[0], which is a slimmed simpler implementation of `signify`. [0]: https://git.openwrt.org/project/usign.git Signed-off-by: Paul Spooren <mail@aparcar.org>
Any chance to get a comment on this? |
You should! To make this a bit easier for me, this is a change that diverges from upstream OpenBSD, right? Is upstream aware, what do they think? |
Well I tried to make upstream aware of this by sending it to the "official" looking github mirror. |
@aparcar In this case “upstream” would be the OpenBSD project. The goal of this project here in GitHub is to take OpenBSD's code and make it buildable on GNU/Linux and possibly other systems. The best way to get the feature added would be submitting a diff to the tech@openbsd.org mailing list (more here) explaining how the feature is useful. Now, regarding the patch itself, the added code looks good to me and it is small, so if the OpenBSD folks think the feature is interesting I suppose that it may not be difficult to get it added 😃 What do you think about trying to submit it to OpenBSD? If the patch does not get accepted by them, then I can reconsider maintaining the patch here myself, but I would rather do that as the second option. |
Are the fingerprints are important? The pub keys are so small that we may use them directly. |
I guess we stick with |
@aparcar we can use the PKCS#7 detached signatures and .p7s files (same as in S/MIME). The ed25519 is supported there. It still not so widely supported, but this is a standard. Other alternatives are:
|
To know the fingerprint used for a sec/pub/sig the option
-F
is addedwhich works in combination with
-s
,-p
or-x
. It will load thefile and and print the used fingerprint in hex.
This feature was ported over from OpenWrt's usign0, which is a slimmed
simpler implementation of
signify
.Signed-off-by: Paul Spooren mail@aparcar.org