API for Signing and Verifying Arbitrary Data
Closed this issue · 3 comments
I'm thinking about using SSH signatures for signing software updates: https://www.agwa.name/blog/post/ssh_signatures
However, for that the verification part needs to be integrated into the software. I'm not (yet) very familiar with the implementation details of SSH's signature system, but is it the same mechanism as for signing certificates? If yes, could this library be used or easily extended to sign arbitrary data (inputs: private key, namespace, file to sign) and verify signatures (inputs: public key(s), signed file, signature) in a way that's compatible with ssh-keygen?
I believe the code you're looking for is here: https://github.com/obelisk/sshcerts/blob/master/src/ssh/signer.rs#L26
This allows you to convert a private key into a function that can be used to sign arbitrary data. This is the functionality that is used when generating an SSHCertificate because that is a blob of data signed with an SSH private key.
I have not tried signing things with ssh-keygen, but it absolutely should be compatible. Maybe in the next couple weeks I'll give it a shot and write some tests that do that.
Well, it's definitely a couple weeks later