-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ssh keys #451
Ssh keys #451
Conversation
e17393e
to
66123db
Compare
and for bigger feature PRs, a link to an issue that explains the background, design options and decisions would be great |
c1274e4
to
1679f30
Compare
WRT SSH support itself I'll leave a bit of context:
None of the above prevents taking your SSH work in tree but I'm saying this to explain why there might be some friction -- The various PRs (and a in-toto/securesystemslib fork) are pushing to several directions right now so choosing the right path may not be obvious... |
Thank you for letting me know. |
It is highly illogical and inconvenient. |
Please try to be constructive and respectful in your comments. |
OK, this code is pretty standalone, I can temporarily put it to another package. |
Worked around by carrying an impl in https://github.com/KOLANICH/securesystemslib_KOLANICH.py |
30a81e9
to
875e8ce
Compare
Apologies for the long radio silence. We did land #456 a while ago, and the resulting signer API has turned out quite nicely and also quite easily extendable (we have GCP, HSM, and sigstore (WIP) support) . Official docs are still sparse, but there is a nice blog post and browsing the code should also give you a good idea of the concept. Are you interested in contributing an class SSHSigner(Signer):
@classmethod
def import_file(cls, private_key_path: str, public_key_path: str) -> Tuple[str, SSlibKey]:
# Load public key from public_key_path.
# Convert ssh-formatted key data to create a valid SSlibKey from it.
# Construct URI, used to load the actual signer, e.g.
# f"ssh+file:/{private_key_path}".
# Return uri and public key.
@classmethod
def from_priv_key_uri(cls, priv_key_uri: str, public_key: Key, secrets_handler: Optional[SecretsHandler] = None) -> "SSHSigner":
# Load private key from priv_key_uri.
# Convert ssh-formatted key data to a dictionary accepted
# by securesystemslib.keys.create_signature (see SSlibSigner.key_dict).
# Return signer.
def sign(self, payload: bytes) -> Signature:
# Sign using securesystemslib.keys.create_signature (see SSlibSigner.sign). """ The high-level idea for (public key) import in the signer API is also outlined in #466. |
Thanks for giving me the link to the blog post. I'm sorry for the harsh words I have to say, but I absolutely hate the design of this lib, the concept of key URIs and different signers for different keys.
IMHO the API should be the following:
IMHO current |
Okay, thanks for you feedback! From what I understand, you are not interested in integrating your feature with our API. So, I'll close this PR. Feel free to submit another one if you reconsider. |
Description of the changes being introduced by the pull request:
Allows to import SSH keys as
securesystemlib
dicts.Please verify and check that the pull request fulfils the following requirements: