Keys / Signing

The catalog allows you to create private keys that are stored securely in the cloud. These keys can be used to sign data without letting the signer have access to the private key bits.

You can download the public half of these keys to enable you to verify signatures ‘offline’ or without making a roundtrip to the catalog.

Keys are not visible from the Catalog frontend, you must use the ark-signature-tool to interact with keys.

Creating Keys

You can create a new key with this cimmand:

./build/ark-signature-tool --organizaton <GUID> --generate-rsa my/key/name --bits 4096

This will generate an RSA key pair called “my/key/name” that users in the <GUID> organizaton can make use of for signing/verification purposes.

Public Keys

You can download the public half of the key with this command:

~/ark$ ./build/ark-signature-tool --download-public-key arkos_bench/release --organization 2ea25035-6aa4-42fb-9955-92288ea1b972
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoKSGBK6e20FNfJyTzK8D
OH4w9oPbpLH54j+qD+jZeR5o0DgpMuJAh4rEpid+qlIInUMfIjUJsT/JnMxAKOLP
VV5qF4PZzbLJu7ey0p/EfQQ5/IFLXtvJ1J7RBkLMXeDo8sl9RkCyw36mwElMVTQ2
40EkcLx3qIKgwCbq/FKMZfW4TzcwbCszFKCHZ8y47jVlFwb6HF3hCvnXcbWSQnGZ
USz8N92F2m0dkvkjQ4hLUV6DAERDsAB/ysG3suwXabMGqxT2K+ejgDuBwy8BqSsR
clLR+pBoJNogOnn9dBhB2It4DJoxxzVEnthINIp5ysDPUO97OsT8Ke9HjVy4Xk+J
O8LR3EEbnaFW+4C7WtMt5ylcywzsV8JMvk6pbYZwQ+Px3AKVXl4z500uv2Gc7NcL
FFJPgubusVyjiVZ+z1hET95+T4nrvZnNtiUeliENTiwe124JAAP87/9eGnRZs4HS
7mekHC/Yn+Kn5PdfZAkBPEhuqo9wRekJaGHNUhpY8dxr50ATInegrTAwpfIOhl2m
gDwyYGkdbruXSsGGZ6KtvHD8WnL2euyjCyK0n6LFe2eQEV3KI+G5SSU5Gtuqz7Sf
GhZxwU5E87Vd3/r03RrVYzCMNtm08o0v/Mp+wYiLRtrbC+Azn1knBM+Cf7EEVPf6
uw+AOx+rF9sFVa2JOM7eLVMCAwEAAQ==
-----END PUBLIC KEY-----

This is the public key for the arkos_bench/release key. It can be used by many common cryptographic tools to verify signatures.

Signing

You can sign items with this command:

~/ark$ ./build/ark-signature-tool --sign arkos_bench/release --organization 2ea25035-6aa4-42fb-9955-92288ea1b972 -i README.md
L9nkrjm48glfbNHstnFbc8dZu6dd+V35/TMusXgYSdod4PYKW/WF82pEUNkXjVGX4xXD61uYv6brWGdJmlWSwqvdzHh0V7koQZ5sF9rkjBZ93RMMFRMH0PRnEnmh2V8TKsy4YkvJ1RYt4/rAMZJzFLZWvKbYM2KXEz+SJoKnIC0Me10VBpCVK98H4TgBGevfAu7ATLP7R9qBwQ3RauhYFNSAbwXO3qfuF8ucN0W2TfdHfJDyRneCg3RD7zz/rLL+kwGWwCwCNy/Q7OcQrHEDFiBn0v6IV5JXioYvmItN0jiLOd+Lh5g1eFBlSJyQFueqfcmjmO22X8ljMo2eUjzp8hgfmrb7/ZngQNblaEr0ATXhprXrYzizs0l75FcFzipUfeZ7tKVI6XBPyuIotQ5X00YESgkfGMFU68Q3b1w/Ac47gW8nnYhFsXKsXSwu07G3VutzwonzjyyvJSRVllambhr4gVUf9+Mptx9r/YOzJFzsd7gIIUCouI2MIT8Cg/yHWAOBZqvu/Zr7uh8UxaaCyPAgkzqJxhG0Depz/Gc7ssiXzIQkTopWtNkLWtqhlUx3PoJFS1UiLx1n478c6lLw2ga2uBZ8yXZcJ+5bqbpNL4WdcCJVNay1yrakfzVkVd8s+zrXkzvXYgUu9fY+fgwn9AhI+iYRPwx7SS7apIryJ1E=

This will sign the README.md file with the arkos_bench/release key, and then output the signature to stdout. This signature can be verified with many common cryptographic tools.

Verifying

As mentioned, you can use comon tools (such as OpenSSL) to verify signatures, or you can use Ark tools or APIs.

An example of using the signature tool:

./build/ark-signature-tool --verify arkos_bench/release --organization 2ea25035-6aa4-42fb-9955-92288ea1b972 -i README.md --signature-file README.md.sig

This will emit an error if the signature does not match (returning 1), or print nothing and return 0 on success.

You can also make use of the APIs in ark::crypt to verify these signatures. For more details, see the ark/crypt/key_pair.hh header file.