Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Add print fingerprint via -F feature #29

Closed
wants to merge 1 commit into from

Conversation

aparcar
Copy link

@aparcar aparcar commented Apr 9, 2020

To know the fingerprint used for a sec/pub/sig the option -F is added
which works in combination with -s, -p or -x. It will load the
file and and print the used fingerprint in hex.

This feature was ported over from OpenWrt's usign0, which is a slimmed
simpler implementation of signify.

Signed-off-by: Paul Spooren mail@aparcar.org

@aparcar
Copy link
Author

aparcar commented Apr 9, 2020

OpenWrt package manager and sysupgrade functionality relies on usign which is a slimmed version of signify. There are currently some efforts to use signify instead.

The OpenWrt build system currently requires a fingerprint feature which was added to usign, however is lacking for signify.

To know the fingerprint used for a sec/pub/sig the option `-F` is added
which works in combination with `-s`, `-p` or `-x`. It will load the
file and and print the used fingerprint in hex.

This feature was ported over from OpenWrt's usign[0], which is a slimmed
simpler implementation of `signify`.

[0]: https://git.openwrt.org/project/usign.git

Signed-off-by: Paul Spooren <mail@aparcar.org>
@aparcar
Copy link
Author

aparcar commented Jan 15, 2021

Any chance to get a comment on this?

@marcusmueller
Copy link
Contributor

Any chance to get a comment on this?

You should! To make this a bit easier for me, this is a change that diverges from upstream OpenBSD, right? Is upstream aware, what do they think?

@aparcar
Copy link
Author

aparcar commented Mar 4, 2021

Well I tried to make upstream aware of this by sending it to the "official" looking github mirror.

@aperezdc
Copy link
Owner

aperezdc commented Mar 5, 2021

@aparcar In this case “upstream” would be the OpenBSD project. The goal of this project here in GitHub is to take OpenBSD's code and make it buildable on GNU/Linux and possibly other systems. The best way to get the feature added would be submitting a diff to the tech@openbsd.org mailing list (more here) explaining how the feature is useful.

Now, regarding the patch itself, the added code looks good to me and it is small, so if the OpenBSD folks think the feature is interesting I suppose that it may not be difficult to get it added 😃

What do you think about trying to submit it to OpenBSD? If the patch does not get accepted by them, then I can reconsider maintaining the patch here myself, but I would rather do that as the second option.

@stokito
Copy link
Contributor

stokito commented Oct 3, 2023

Are the fingerprints are important? The pub keys are so small that we may use them directly.
The fingerprint in usign is 8 bytes e.g. 16 hex.
The whole ed25519 pub key is 32 bytes e.g. 64 hex or 44 in b64.
The typical RSA fingerprint is 34 hex.

@aparcar
Copy link
Author

aparcar commented Oct 4, 2023

I guess we stick with usign for now until we either switch to something based on a SSL library which now ship with OpenWrt anyway or find something with PQC features. Closing this.

@aparcar aparcar closed this Oct 4, 2023
@stokito
Copy link
Contributor

stokito commented Oct 24, 2023

@aparcar we can use the PKCS#7 detached signatures and .p7s files (same as in S/MIME). The ed25519 is supported there.

It still not so widely supported, but this is a standard.
We can use OpenSSL to sign and verify with openssl cms. Still the openssl-tools is complicated may be a too big dependency for routers so maybe a custom tool can be used instead.
On a desktop users can sign/verify with Kleopatra.

Other alternatives are:

  • GnuPG gpgv - a short version of GPG with only sig veryfying.
  • OpenSSH sign/verify but it's really badly designed and not used by anyone.

# for free to join this conversation on GitHub. Already have an account? # to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants