1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
package signature
import (
"bytes"
"fmt"
"os"
"time"
)
// SigningKey is the common interface of SSH and GPG signing keys
type SigningKey interface {
CreateSignature([]byte, time.Time) ([]byte, error)
Verify([]byte, []byte) error
}
// SigningKeys represents all signing keys configured in the system.
// The primary key is used for creating signatures, the secondary
// keys are used for verification if the primary key failed to verify
// a signature
type SigningKeys struct {
primaryKey SigningKey
secondaryKeys []SigningKey
}
// ParseSigningKeys parses a list of signing keys separated by a comma and returns
// a list of GPG or SSH keys.
// Multiple signing keys are necessary to provide proper key rotation.
// The latest signing key is specified first and used for creating a signature. The
// previous signing keys go after and are used to verify a signature.
func ParseSigningKeys(primaryPath string, secondaryPaths ...string) (*SigningKeys, error) {
primaryKey, err := parseSigningKey(primaryPath)
if err != nil {
return nil, err
}
secondaryKeys := make([]SigningKey, 0, len(secondaryPaths))
for _, path := range secondaryPaths {
signingKey, err := parseSigningKey(path)
if err != nil {
return nil, err
}
secondaryKeys = append(secondaryKeys, signingKey)
}
return &SigningKeys{
primaryKey: primaryKey,
secondaryKeys: secondaryKeys,
}, nil
}
func parseSigningKey(path string) (SigningKey, error) {
key, err := os.ReadFile(path)
if err != nil {
return nil, fmt.Errorf("open file: %w", err)
}
if bytes.HasPrefix(key, []byte("-----BEGIN OPENSSH")) {
return parseSSHSigningKey(key)
}
return parseGpgSigningKey(key)
}
// CreateSignature uses the primary key to create a signature
func (s *SigningKeys) CreateSignature(contentToSign []byte, date time.Time) ([]byte, error) {
return s.primaryKey.CreateSignature(contentToSign, date)
}
// Verify iterates over all signing keys and returns nil if any
// verification was successful. Otherwise, the last error is returned.
// Note: when Golang 1.19 is no longer supported, can be refactored using errors.Join
func (s *SigningKeys) Verify(signature, signedText []byte) error {
var err error
for _, signingKey := range append([]SigningKey{s.primaryKey}, s.secondaryKeys...) {
err = signingKey.Verify(signature, signedText)
if err == nil {
return nil
}
}
return err
}
|