Sign Partial Root Metadata

This HOWTO describes the process of signing partial root metadata using Root signing keys for a Rugged repository.

There are two main methods for creating signatures, corresponding to the methods for generating the Root verification and signing keys in the first instance:

  1. Using a Hardware Security Module (HSM), if your root keypair is on such an HSM (see Generating Root keys using HSM).
  2. Using OpenSSL, if your root keypair was generated using this tool (see Generating Root keypairs using OpenSSL).

You can also see more detailed steps for each of these in the Rugged runbook template: 02A-SIGN-ROOT-METADATA (HSM) and 02B-SIGN-ROOT-METADATA (OpenSSL)

Using a Hardware Security Module (HSM)

If your Root keypair was generated using an HSM, then you will need the HSM to create a signature. Once again you’ll need your YubiHSM2 device connected to a computer with the yubihsm-shell command-line tool installed.

With the hardware token attached, we can validate that we can interact with it by requesting the device info (see DEVICE INFO command:

yubihsm-shell --action=get-device-info

The steps below assume you have a signable-N.root.json file containing partial root metadata for version N of your Rugged repository, which you need to sign.

Generating a signature

Ensure you have your authentication key password for the YubiHSM2 available, as you will be prompted for it when running this command:

yubihsm-shell \
    --action=sign-eddsa \
    --object-id=100 \
    --algorithm=ed25519 \
    --in=signable-N.root.json \
    --out=rootA_signature.bin \
    --outformat=binary \
    --auth-key=2

This signature can now be added to the partial root metadata in preparation for deploying it into the Rugged repository.

Using OpenSSL

If you are using an OpenSSL-generated root keypair, then you will need to have access to the signing (private) and verification (public) keys to produce and then verify the signature. In the steps below, we assume these files are in /var/rugged/tuf_repo/tmp, where you would have generated in HOWTO: Generate Root Keys using OpenSSL.

export PRIV_KEY=/var/rugged/tuf_repo/tmp/rootA_private.pem
export PUB_KEY=/var/rugged/tuf_repo/tmp/rootA_public.pem

openssl pkeyutl -in signable-N.root.json -rawin -sign -inkey $PRIV_KEY > rootA_signature.bin
openssl pkeyutl -verify -sigfile rootA_signature.bin -in /media/ceremony-products/signable-N.root.json -rawin -inkey $PUB_KEY -pubin

The second openssl command verifies the signature you have just created, as a sanity check that the rootA_signature.bin file contains a valid signature that you can add to the partial root metadata in preparation for deploying it into the Rugged repository.

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Rugged TUF Server is a trademark of Consensus Enterprises.