Keys / Signing
The catalog allows you to create private keys that are stored securely in the cloud. These keys can be used to sign data without letting the signer have access to the private key bits.
You can download the public half of these keys to enable you to verify signatures ‘offline’ or without making a roundtrip to the catalog.
Keys are not visible from the Catalog frontend, you must use the
ark-signature-tool
to interact with keys.
Creating Keys
You can create a new key with this cimmand:
./build/ark-signature-tool --organizaton <GUID> --generate-rsa my/key/name --bits 4096
This will generate an RSA key pair called “my/key/name” that users in the <GUID>
organizaton can make use of for signing/verification purposes.
Public Keys
You can download the public half of the key with this command:
~/ark$ ./build/ark-signature-tool --download-public-key arkos_bench/release --organization 2ea25035-6aa4-42fb-9955-92288ea1b972
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoKSGBK6e20FNfJyTzK8D
OH4w9oPbpLH54j+qD+jZeR5o0DgpMuJAh4rEpid+qlIInUMfIjUJsT/JnMxAKOLP
VV5qF4PZzbLJu7ey0p/EfQQ5/IFLXtvJ1J7RBkLMXeDo8sl9RkCyw36mwElMVTQ2
40EkcLx3qIKgwCbq/FKMZfW4TzcwbCszFKCHZ8y47jVlFwb6HF3hCvnXcbWSQnGZ
USz8N92F2m0dkvkjQ4hLUV6DAERDsAB/ysG3suwXabMGqxT2K+ejgDuBwy8BqSsR
clLR+pBoJNogOnn9dBhB2It4DJoxxzVEnthINIp5ysDPUO97OsT8Ke9HjVy4Xk+J
O8LR3EEbnaFW+4C7WtMt5ylcywzsV8JMvk6pbYZwQ+Px3AKVXl4z500uv2Gc7NcL
FFJPgubusVyjiVZ+z1hET95+T4nrvZnNtiUeliENTiwe124JAAP87/9eGnRZs4HS
7mekHC/Yn+Kn5PdfZAkBPEhuqo9wRekJaGHNUhpY8dxr50ATInegrTAwpfIOhl2m
gDwyYGkdbruXSsGGZ6KtvHD8WnL2euyjCyK0n6LFe2eQEV3KI+G5SSU5Gtuqz7Sf
GhZxwU5E87Vd3/r03RrVYzCMNtm08o0v/Mp+wYiLRtrbC+Azn1knBM+Cf7EEVPf6
uw+AOx+rF9sFVa2JOM7eLVMCAwEAAQ==
-----END PUBLIC KEY-----
This is the public key for the arkos_bench/release
key. It can be used
by many common cryptographic tools to verify signatures.
Signing
You can sign items with this command:
~/ark$ ./build/ark-signature-tool --sign arkos_bench/release --organization 2ea25035-6aa4-42fb-9955-92288ea1b972 -i README.md
L9nkrjm48glfbNHstnFbc8dZu6dd+V35/TMusXgYSdod4PYKW/WF82pEUNkXjVGX4xXD61uYv6brWGdJmlWSwqvdzHh0V7koQZ5sF9rkjBZ93RMMFRMH0PRnEnmh2V8TKsy4YkvJ1RYt4/rAMZJzFLZWvKbYM2KXEz+SJoKnIC0Me10VBpCVK98H4TgBGevfAu7ATLP7R9qBwQ3RauhYFNSAbwXO3qfuF8ucN0W2TfdHfJDyRneCg3RD7zz/rLL+kwGWwCwCNy/Q7OcQrHEDFiBn0v6IV5JXioYvmItN0jiLOd+Lh5g1eFBlSJyQFueqfcmjmO22X8ljMo2eUjzp8hgfmrb7/ZngQNblaEr0ATXhprXrYzizs0l75FcFzipUfeZ7tKVI6XBPyuIotQ5X00YESgkfGMFU68Q3b1w/Ac47gW8nnYhFsXKsXSwu07G3VutzwonzjyyvJSRVllambhr4gVUf9+Mptx9r/YOzJFzsd7gIIUCouI2MIT8Cg/yHWAOBZqvu/Zr7uh8UxaaCyPAgkzqJxhG0Depz/Gc7ssiXzIQkTopWtNkLWtqhlUx3PoJFS1UiLx1n478c6lLw2ga2uBZ8yXZcJ+5bqbpNL4WdcCJVNay1yrakfzVkVd8s+zrXkzvXYgUu9fY+fgwn9AhI+iYRPwx7SS7apIryJ1E=
This will sign the README.md
file with the arkos_bench/release
key, and then output
the signature to stdout. This signature can be verified with many common cryptographic tools.
Verifying
As mentioned, you can use comon tools (such as OpenSSL) to verify signatures, or you can use Ark tools or APIs.
An example of using the signature tool:
./build/ark-signature-tool --verify arkos_bench/release --organization 2ea25035-6aa4-42fb-9955-92288ea1b972 -i README.md --signature-file README.md.sig
This will emit an error if the signature does not match (returning 1
), or print nothing and return 0
on success.
You can also make use of the APIs in ark::crypt
to verify these signatures.
For more details, see the ark/crypt/key_pair.hh
header file.