Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sign with a passkey signature #3833

Open
gedw99 opened this issue Aug 15, 2024 · 1 comment
Open

Sign with a passkey signature #3833

gedw99 opened this issue Aug 15, 2024 · 1 comment
Labels
question Further information is requested

Comments

@gedw99
Copy link

gedw99 commented Aug 15, 2024

Question

I use passkeys to identify orgs and users when they sign in to a golang system that I am working on .

the system produces artifacts into their GitHub or other git servers . These are binaries , WASM , text files.

I plan to produce an SBOM of these artefacts also as an artefact.

Others users can then use those artefacts at runtime in the system.

so I was wondering about using the passkey signature to sign their artefacts.

WASM is the main thing that is run by third parties , because it gives a measure of security ssndboxing . But the binaries also .

I plan to team this up with fish food , which is a golang package distribution system and make it real time with a pub sub overlay system.

https://github.com/tinned-fish/gofish

the core binaries that run the passkeys would need to be motorised by Apple and Microsoft in order for them to run on devs and users systems. I was thinking of doing Notorisstion and then co-signing in a 2 steps process . But have no idea if this is workable .

would appreciate feedback :)

@gedw99 gedw99 added the question Further information is requested label Aug 15, 2024
@gedw99
Copy link
Author

gedw99 commented Aug 15, 2024

I can also use nats nkrys Ed25519 since my core auth system is based on nats .

https://github.com/nats-io/jwt

Since cosign is able to mint self managed keys here , https://docs.sigstore.dev/key_management/signing_with_self-managed_keys/, it looks like I could use this approach flow:

Users passkey , then store passkey signature in nats , then create a nats user , then create a jwt and a cosign key … then sign any artefacts this users produces.

it’s a chain of trust that flows bs into the users passkey that is stored in their Tom chip . Yubikeys also .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

1 participant