-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tool for importing PEM formatted ecdsa keys #522
Comments
This probably belongs in securesystemslib. Would a fix for secure-systems-lab/securesystemslib#453 make this redundant? |
I think that fix will help as people will not run into the issue with key_id's not being consistently generated. But the suggestion in this issue is that from a users perspective, coming to in-toto with a key generated by cosign the user would have to perform the conversion from Another idea is this could be an extension of the current |
Thanks for raising this issue and sharing your script, @danbev! I agree that it would be extremely useful to make in-toto support standard (and other custom) key formats. The good news is, we are working on a more flexible signing API in securesystemslib, which should make this more intuitive (see I haven't thought about what this should look like in in-toto CLI such as The new API will also remove the strict requirement about keyids being the sha256 hexdigest of a certain pubkey representation, which doesn't really have a practical use. I don't have a timeline for when this will be available in in-toto yet, as I'm driving the development in securesystemslib with a focus on in-toto's sister project python-tuf, which also uses securesystemslib. But I'm happy to coordinate any contributions for in-toto. :) |
@lukpueh This sounds great! I'll try to take a closer look signing API too 👍 |
would this script just work if you don't use
|
Yes, I really just left the function call in there so that if this issue was fixed upstream, we could remove the messing about with the keyid's at that point. |
I'm not sure keyid generation will ever be "stable and reliable", I think it makes sense to move to a direction where we don't rely on that. My initial hand waving about the key generation/import: secure-systems-lab/securesystemslib#466 |
Description of issue or feature request:
Currently, the in-toto command line tools support a
--key-type
option ofecdsa
. The expected format is of type json following the securesystemslib specification.When creating keys with tools like
openssl
orcosign
the generated keys are often in PEM format and they have to be converted to be able to be passed to the in-toto command line tools.I ran into this issue when experimenting with
cosign
and resorted to creating a python script to do this conversion. I was wondering if this might be useful to others and if it would be possible to have this type of conversion as part of in-toto in some way?The script currently looks like this:
in-toto--key-import.py
This can be simplified and use
import_ecdsakey_from_public_pem
but I ran into an issue while working this.I'd be happy to do the work if this something that sounds resonable to do.
Current behavior:
N/A
Expected behavior:
N/A
The text was updated successfully, but these errors were encountered: