Draft: Add `signstar-csr` and signing hash states
Adds signstar-csr
binary (name change pending) which produces signing requests files:
{
"required": {
"hash": "sha512",
"signature-type": "OpenPGPv4",
"state": [8,201,188,243,103,230,9,106,59,167,202,32,133,174,103,187,43,248,148,254,114,243,10,60,241,54,29,95,58,245,79,165,209,130,30,173,127,82,14,81,31,108,62,43,140,104,,155,107,189,65,251,171,217,131,31,121,33,26,19,25,205,224,91,0,0,0,0,0,0,0,,0,0,0,0,0,0,0,0,64,20,73,32,8,105,107,101,32,115,116,114,97,119,98,1,14,114,105,101,115,10,0,0,0,0,0,0,0,,0,0,0,0,0,0,0,0,0,0,0,0,0,,0,0,0,0,0,0,0,0,0,0,0,0,0,,0,0,0,0,0,0,0,0,0,0,0,0,0,,0,0,0,0,0,0,0,0,0,0,0,0,0,,0,0,0,0,0,0,0,0,0,0,0,0,0,,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
},
"optional": {
"T9syL3i": "https://gitlab.archlinux.org/archlinux/signstar/-/merge_requests/43",
"request-time": 1726149314
}
}
And then adds nethsm openpgp sign-state
command which ingests the signing request JSON file and produces OpenPGP signature.
The entire flow looks like this:
signstar-csr < file.txt | nethsm openpgp sign-state signing1 > file.txt.pgp
The resulting signature has file.txt
digest embedded inside.
Signature Packet, new CTB, 216 bytes
Version: 4
Type: Binary
Pk algo: EdDSA
Hash algo: SHA512
Hashed area:
Signature creation time: 2024-09-12 13:37:57 UTC
Issuer: 75053BB045A49049
Issuer Fingerprint: 81057E2707FB660398FEA88275053BB045A49049
Notation: data-digest@archlinux.org
00000000 55 b9 56 f9 bb 40 75 2f a3 28 c9 35 23 a9 77 5a
00000010 a8 4e 1d 20 14 37 27 79 fd cb 9f 52 55 28 e9 1a
00000020 d0 0d 6f 3d 5d 64 c7 1f b9 8c c3 72 5c 76 6c ed
00000030 64 98 d4 b1 bd 38 92 cc 89 4c eb 1f 65 01 13 37
Digest prefix: DE0C
Level: 0 (signature over data)
This is heavily work-in-progress but I wanted to share early results for rough overview.
Note that this MR cannot be merged as is because it depends on yet-unreleased version of rPGP (as well as sha2 pre-release).
Edited by Wiktor Kwapisiewicz