1# Signing and Uploading Other Types
2
3This documentation contains information on how to sign and upload data in different pluggable types.
4The following are covered:
5- [Minisign](#minisign)
6- [SSH](#ssh)
7- [PKIX/X509](#pkixx509)
8- OpenPGP / GPG (TODO)
9- RPM (TODO)
10- TSR (TODO)
11- [TUF](#tuf)
12
13## Minisign
14
15Create a keypair with something like:
16
17```console
18$ minisign -G
19Please enter a password to protect the secret key.
20
21Password:
22Password (one more time):
23Deriving a key from the password in order to encrypt the secret key... done
24
25The secret key was saved as /Users/dlorenc/.minisign/minisign.key - Keep it secret!
26The public key was saved as minisign.pub - That one can be public.
27
28Files signed using this key pair can be verified with the following command:
29
30minisign -Vm <file> -P RWSzQI7+S6M0c4yReOwcDZ2petL8pAZsrNfkdyqr0V7j/HGafpjdKZQm
31```
32
33Sign a file:
34
35```console
36$ minisign -S -m README.md
37Password:
38Deriving a key from the password and decrypting the secret key... done
39```
40
41Upload to rekor:
42
43```console
44$ rekor-cli upload --artifact README.md --signature README.md.minisig --pki-format=minisign --public-key=minisign.pub
45Created entry at index 5895, available at: https://rekor.sigstore.dev/api/v1/log/entries/008bfbbaa8f473a0b17cba5f8078d2c08410bca55f01d2ec71860795ef823b36
46```
47
48Look at the entry with:
49
50```console
51$ ./rekor-cli get --uuid=008bfbbaa8f473a0b17cba5f8078d2c08410bca55f01d2ec71860795ef823b36
52LogID: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
53Index: 5895
54IntegratedTime: 2021-07-14T01:39:50Z
55UUID: 008bfbbaa8f473a0b17cba5f8078d2c08410bca55f01d2ec71860795ef823b36
56Body: {
57 "RekordObj": {
58 "data": {
59 "hash": {
60 "algorithm": "sha256",
61 "value": "3d80236772ca7c5405e398a4d685e715859260a8733070b86de7322e233c68d2"
62 }
63 },
64 "signature": {
65 "content": "dW50cnVzdGVkIGNvbW1lbnQ6ClJXU3pRSTcrUzZNMGMrNUcxbVZzcmw2dmgvYi91VjlxclJySWpxd21abDFKYjZhTGJ2U1NWUzdObDNvUmpVTUdHUWpLVlEyd2JnMnJxNDZxdDdPTHE3L1c3Z2liMlo5Rzh3az0=",
66 "format": "minisign",
67 "publicKey": {
68 "content": "akpGNDdCd05uYWw2MHZ5a0JteXMxK1IzS3F2Ulh1UDhjWnArbU4wcGxDWT0="
69 }
70 }
71 }
72}
73```
74
75## SSH
76
77Generate a keypair with:
78
79```console
80$ ssh-keygen -C test@rekor.dev -t ed25519 -f id_ed25519
81Generating public/private ed25519 key pair.
82Enter passphrase (empty for no passphrase):
83Enter same passphrase again:
84Your identification has been saved in id_ed25519.
85Your public key has been saved in id_ed25519.pub.
86The key fingerprint is:
87SHA256:73u0etmm2h7BehcLbjrwXqXe193k5R5Uz0Lnl83nTt4 test@rekor.dev
88The key's randomart image is:
89+--[ED25519 256]--+
90| |
91| |
92| . o|
93| . . ==|
94| S + +oO|
95| .. o.=.==|
96| oo.B+o=B|
97| .oB=+o+X|
98| .BO=o.oE|
99+----[SHA256]-----+
100```
101
102Sign a file with:
103
104```console
105$ ssh-keygen -Y sign -n file -f id_ed25519 README.md
106Enter passphrase:
107Signing file README.md
108Write signature to README.md.sig
109```
110
111Upload it to rekor with:
112
113```console
114$ rekor-cli upload --artifact README.md --signature README.md.sig --pki-format=ssh --public-key=id_ed25519.pub
115Created entry at index 5896, available at: https://rekor.sigstore.dev/api/v1/log/entries/0e81b4d9299e2609e45b5c453a4c0e7820ac74e02c4935a8b830d104632fd2d
116```
117
118Look at the entry with:
119
120```console
121$ rekor-cli get --uuid=0e81b4d9299e2609e45b5c453a4c0e7820ac74e02c4935a8b830d104632fd2d1
122LogID: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
123Index: 5896
124IntegratedTime: 2021-07-14T01:45:06Z
125UUID: 0e81b4d9299e2609e45b5c453a4c0e7820ac74e02c4935a8b830d104632fd2d1
126Body: {
127 "RekordObj": {
128 "data": {
129 "hash": {
130 "algorithm": "sha256",
131 "value": "3d80236772ca7c5405e398a4d685e715859260a8733070b86de7322e233c68d2"
132 }
133 },
134 "signature": {
135 "content": "LS0tLS1CRUdJTiBTU0ggU0lHTkFUVVJFLS0tLS0KVTFOSVUwbEhBQUFBQVFBQUFETUFBQUFMYzNOb0xXVmtNalUxTVRrQUFBQWdqNnhOWHFWdFJQb2JOaHg5TXNnbQp4Q2lYMlo3VFh5QXcyRHZpN0k1Nzdia0FBQUFFWm1sc1pRQUFBQUFBQUFBR2MyaGhOVEV5QUFBQVV3QUFBQXR6CmMyZ3RaV1F5TlRVeE9RQUFBRUM1N2xCUGtjWlF2K2RDOG1HMEd4ajZoeUVXOUtPZVVtN21WdFVicURSTDdramoKS1pTakYxaVFVcWVpUVQ4Z2ZKbGVyZVhhUmVMamZoR2FUN0llRENrRQotLS0tLUVORCBTU0ggU0lHTkFUVVJFLS0tLS0K",
136 "format": "ssh",
137 "publicKey": {
138 "content": "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUkrc1RWNmxiVVQ2R3pZY2ZUTElKc1FvbDltZTAxOGdNTmc3NHV5T2UrMjUK"
139 }
140 }
141 }
142}
143```
144
145## PKIX/X509
146
147Generate a keypair with:
148
149```console
150$ openssl ecparam -genkey -name prime256v1 > ec_private.pem
151$ openssl ec -in ec_private.pem -pubout > ec_public.pem
152read EC key
153writing EC key
154```
155
156Sign the file with:
157
158```console
159$ openssl dgst -sha256 -sign ec_private.pem -out README.md.sig README.md
160```
161
162Upload it to rekor with:
163
164```console
165$ ./rekor-cli upload --artifact README.md --signature README.md.sig --pki-format=x509 --public-key=ec_public.pem
166Created entry at index 5897, available at: https://rekor.sigstore.dev/api/v1/log/entries/31a51c1bc20da83b66b2f24899184b85dbf8261c2de8571479165619ad87cd5d
167```
168
169View the entry with:
170
171```console
172$ rekor-cli get --uuid=31a51c1bc20da83b66b2f24899184b85dbf8261c2de8571479165619ad87cd5d
173LogID: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
174Index: 5897
175IntegratedTime: 2021-07-14T01:49:54Z
176UUID: 31a51c1bc20da83b66b2f24899184b85dbf8261c2de8571479165619ad87cd5d
177Body: {
178 "RekordObj": {
179 "data": {
180 "hash": {
181 "algorithm": "sha256",
182 "value": "3d80236772ca7c5405e398a4d685e715859260a8733070b86de7322e233c68d2"
183 }
184 },
185 "signature": {
186 "content": "MEUCICwZpVU/3fnWSZkejA8R2j/t5futtl5Co3CDj7k6J6PwAiEA75Cn2txgpg/KjsOitSKsydL3D6cQIf7NQJtsmvsRTRQ=",
187 "format": "x509",
188 "publicKey": {
189 "content": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFYzJKUkJZbS9OQVo5ZHhhUnNWV05mdTcxV3B5TAo2cGx4L1hsZnNVTlM2SmcrWEhEVmpsaVNBNHV2ZEQ4ZW5XdUhNdWQybS9WdEVQaDZYT0M3bjR0aCtnPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=="
190 }
191 }
192 }
193}
194```
195
196## OpenPGP / GPG
197
198TODO
199
200## RPM
201
202TODO
203
204## Alpine
205
206TODO
207
208## RPM
209
210TODO
211
212## TSR
213
214TODO
215
216## TUF
217
218Generate a TUF repository (for example, with the [Python reference implementation](https://pypi.org/project/tuf/) or [go-tuf](https://github.com/theupdateframework/go-tuf)).
219
220With go-tuf:
221
222```console
223$ tuf init
224$ tuf gen-key root
225$ tuf gen-key targets
226$ tuf gen-key snapshot
227$ tuf gen-key timestamp
228$ tuf add path/to/some/target.txt
229$ tuf snapshot
230$ tuf timestamp
231$ tuf commit
232```
233
234You will find the signed metadata in your TUF `repository/` directory:
235
236```console
237$ tree .
238.
239├── keys
240│ ├── snapshot.json
241│ ├── targets.json
242│ └── timestamp.json
243├── repository
244│ ├── root.json
245│ ├── snapshot.json
246│ ├── targets
247│ │ └── foo
248│ │ └── bar
249│ │ └── baz.txt
250│ ├── targets.json
251│ └── timestamp.json
252└── staged
253```
254
255Upload any TUF manifest to rekor by using the `root.json` as a the public key:
256
257```console
258$ ./rekor-cli upload --artifact repository/timestamp.json --type tuf --public-key repository/root.json
259Created entry at index 0, available at: https://rekor.sigstore.dev/api/v1/log/entries/6ed8fa5e9f0aa31b6cdfd2cc6877692f5afba52edd7ff5774eebfb22228e8847
260```
261
262View the entry with:
263
264```console
265$ rekor-cli get --uuid=31a51c1bc20da83b66b2f24899184b85dbf8261c2de8571479165619ad87cd5d
266LogID: 5c4ceffb024e0d0b50bb9e03bc308ce83a76353f1003f8e57a21c51f74cc1e0e
267Index: 0
268IntegratedTime: 2021-08-13T19:17:33Z
269UUID: 6ed8fa5e9f0aa31b6cdfd2cc6877692f5afba52edd7ff5774eebfb22228e8847
270Body: {
271 "TufObj": {
272 "manifest": {
273 "expires": "2021-12-18 13:28:12.99008 -0600 CST",
274 "signed": {
275 "content": [...]
276 },
277 "version": 1
278 },
279 "root": {
280 "expires": "2021-12-18 13:28:12.99008 -0600 CST",
281 "signed": {
282 "content": [...]
283 },
284 "version": 1
285 }
286 }
287}
288
289```
290
291
292## Hashed rekord
293
294This is similar to a rekord type, but allows hashed data instead of supplying the full content that was signed. This is suitable for uploading signatures on large payloads. This is only compatible with x509 / PKIX signature types.
295
296Generate a keypair with:
297
298```console
299$ openssl ecparam -genkey -name prime256v1 > ec_private.pem
300$ openssl ec -in ec_private.pem -pubout > ec_public.pem
301read EC key
302writing EC key
303```
304
305Sign the file with:
306
307```console
308$ openssl dgst -sha256 -sign ec_private.pem -out README.md.sig README.md
309```
310
311Upload it to rekor with:
312
313```console
314$ ./rekor-cli upload --type hashedrekord:0.0.1 --artifact-hash $(sha256sum README.md | awk '{print $1}') --signature README.md.sig --pki-format=x509 --public-key=ec_public.pem
315Created entry at index 12, available at: https://rekor.sigstore.dev/api/v1/log/entries/31a51c1bc20da83b66b2f24899184b85dbf8261c2de8571479165619ad87cd5d
316```
317
318View the entry with:
319
320```console
321$ rekor-cli get --uuid=31a51c1bc20da83b66b2f24899184b85dbf8261c2de8571479165619ad87cd5d
322LogID: b3e217db795022552080ed8b22596131c63f3aa198e83450f3dba9e686633641
323Index: 12
324IntegratedTime: 2021-11-17T21:59:49Z
325UUID: 31a51c1bc20da83b66b2f24899184b85dbf8261c2de8571479165619ad87cd5d
326Body: {
327 "HashedRekordObj": {
328 "data": {
329 "hash": {
330 "algorithm": "sha256",
331 "value": "9249e5dfa2ede1c5bd89c49bf9beaf3e9afda2d961dea7cda7f639210179cd16"
332 }
333 },
334 "signature": {
335 "content": "MEQCIG9s7GVWH67OkeXPQvM/XAcLW7N0xiFZWez95uR+GlXyAiBW+DPRaYvgtpQglQLtqujwb+xQBd8I70Vk/2vDB+G3uQ==",
336 "publicKey": {
337 "content": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFR0JPTVdDanViVTVldkJ0OGcxWTZTR1ZoZ29OVwpjY2lrbHlpTEJQajQ5Um40WVFhTjRJS0xySi9nQlROU2tOREdQbHFvNHVjTVg3L21PZmlBNkVHS09BPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=="
338 }
339 }
340 }
341}
342
343```View as plain text