@TODO: Fill in “generate root keypairs” usage howto
openssl
as quick and easyThis HOWTO describes the process of generating root keypairs for a Rugged repository. There are two main methods for generating keypairs:
openssl
, which is quick and readily available, and can be used provided extra care is taken to protect the private key material from compromise.Now we need to generate keypairs for each of the roles. The root keys are by far the most important, as they form the root of trust for the whole system.
Under standard Rugged operation, the root keys would be generated offline and kept secure to ensure the trustworthiness of the TUF repository. Typically this is done with OpenSSL or a Hardware Security Module (HSM) (@TODO: LINK).
In this case, we’ll generate our root keys in a tmp directory under the tuf_repo
in the DDEV container:
export RUGGED_TMP=/var/rugged/tuf_repo/tmp; ddev exec sudo mkdir -p $RUGGED_TMP
Using typical OpenSSL commands, we generate a keypair for each of the root
, root1
, and myroot2
root keys we’ve configured:
for x in root root1 myroot2; do
echo "Generating $x keypair.."
ddev exec sudo /usr/local/ssl/bin/openssl genpkey -algorithm ED25519 -out $RUGGED_TMP/${x}_private.pem
ddev exec sudo /usr/local/ssl/bin/openssl pkey -in $RUGGED_TMP/${x}_private.pem -pubout -out $RUGGED_TMP/${x}_public.pem
echo "done."
done
We also need keypairs for the other roles. These are the online keys, typically generated by Rugged as part of initializing a TUF repository. Let’s generate keys for each of the Snapshot, Targets, and Timestamp roles in turn:
ddev rugged generate-keys --local --role=snapshot
ddev rugged generate-keys --local --role=targets
ddev rugged generate-keys --local --role=timestamp
Now add the verification key for the root keypairs we generated:
ddev rugged add-verification-key root /var/rugged/tuf_repo/tmp/root_public.pem --key-type=pem
ddev rugged add-verification-key root /var/rugged/tuf_repo/tmp/root_public.pem --key-type=pem
ddev rugged add-verification-key root /var/rugged/tuf_repo/tmp/root_public.pem --key-type=pem