Awesome
tkey-sign
tkey-sign
creates and verifies cryptographic signatures of files.
The signature is created by the signer device
app running on the
Tillitis TKey. The signer is automatically
loaded into the TKey by tkey-sign
when signing or extracting the
public key. The measured private key never leaves the TKey.
See Release notes.
Usage
Get a public key, possibly modifying the key pair by using a User
Supplied Secret, and storing the public key in file -p pubkey
.
tkey-sign -G/--getkey [-d/--port device] [-s/--speed speed]
[--uss] [--uss-file secret-file] -p/--public pubkey
Sign a file, specified with -m message
, possibly modifying the
measured key pair by using a User Supplied Secret, and storing the
signature in -x sigfile
or, by default, in message.sig
. You need
to supply the public key file as well which tkey-sign
will
automatically verify that it's the expected public key.
tkey-sign -S/--sign [-d/--port device] [-s speed] -m message
[--uss] [--uss-file secret-file] -p/--public pubkey [-x sig-file]
Verify a signature of file -m message
with public key in -p pubkey
.
Signature is by default in message.sig
but can be specified
with -x sigfile
. Doesn't need a connected TKey.
tkey-sign -V/--verify -m message -p/--public pubkey [-x sigfile]
Alternatively you can use OpenBSD's signify(1) to verify the signature but you need to compute the SHA-512 of the file first and feed that to the verification. We provide a handy script that does this:
signify-verify message pubkey
Exit code is 0 on success and non-zero on failure.
See the manual page for details.
Examples
All examples either load the device app automatically or works with an already loaded device app.
Store the public key in a file.
$ tkey-sign -G -p key.pub
Sign a file using the signer's basic secret or the identity of an already loaded signer while also checking that you have the right public key in a file:
$ tkey-sign -S -m message.txt -p key.pub
Verify a signature over a message file with the signature in the default "message.txt.sig" file:
$ tkey-sign -V -p key.pub -m message.txt
or
$ signify-verify message.txt key.pub
Signature Verified
$
Build & install
The easiest way is to:
$ go install github.com/tillitis/tkey-sign-cli/cmd/tkey-sign@latest
After this the tkey-sign
command should be available in your
$GOBIN
directory.
Note that this doesn't set the version and other stuff you get if you
use make
.
Building
If you have Go and make installed, a simple:
$ make
or, for a Windows executable,
$ make tkey-sign.exe
should build tkey-sign
. A pre-compiled signer device app binary is
included in the repo and will be automatically embedded.
Cross compiling the usual Go way with GOOS
and GOARCH
environment
variables works for most targets but currently doesn't work for
GOOS=darwin
since the go.bug.st/serial
package relies on macOS
shared libraries for port enumeration.
Building with tkey-builder
If you want to use the tkey-builder image and you have make
you can
run:
$ podman pull ghcr.io/tillitis/tkey-builder:4
$ make podman
or run tkey-builder directly with Podman:
$ podman run --rm --mount type=bind,source=$(CURDIR),target=/src -w /src -it ghcr.io/tillitis/tkey-builder:4 make -j
Note that building with Podman by default creates a Linux binary. Set
GOOS
and GOARCH
with -e
in the call to podman run
to desired
target. Again, this won't work with a macOS target.
Installing on Linux
You can install tkey-sign
and reload the Linux udev rules to get
access to the TKey with:
$ sudo make install
$ sudo make reload-rules
Reproducible builds
You should be able to build a binary that is a exact copy of our release binaries if you use the same Go compiler, at least for the statically linked Linux and Windows binaries.
Please see the official releases for digests and details about the build environment.
Building with another signer
For convenience, and to be able to support go install
the signer
device app binary is included in cmd/tkey-sign
.
If you want to replace the signer used you have to:
- Compile your own signer and place it in
cmd/tkey-sign
. - Change the path to the embedded signer in
cmd/tkey-sign/main.go
. Look forgo:embed...
. - Change the
appName
directly under thego:embed
to whatever your signer is called, so the agent reports this correctly with--version
. - Compute a new SHA-512 hash digest for your binary, typically by
something like
sha512sum cmd/tkey-sign/signer.bin-v0.0.7
and put the resulting output in the filesigner.bin.sha512
at the top level. make
in the top level.
Building the signer
- See the Devoloper Handbook for setup of development tools. We recommend you use tkey-builder.
- See the instructions in the tkey-device-signer repo.
- Copy its
signer/app.bin
tocmd/tkey-sign/signer.bin-${signer_version}
and runmake
.
To help prevent unpleasant surprises we keep a digest of the signer in
cmd/tkey-ssh-agent/signer.bin.sha512
. The compilation will fail if
this is not the expected binary. If you really intended to build with
another signer, see Building with another
signer above.
Licenses and SPDX tags
Unless otherwise noted, the project sources are licensed under the terms and conditions of the "GNU General Public License v2.0 only":
Copyright Tillitis AB.
These programs are free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 2 only.
These programs are distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see:
See LICENSE for the full GPLv2-only license text.
External source code we have imported are isolated in their own
directories. They may be released under other licenses. This is noted
with a similar LICENSE
file in every directory containing imported
sources.
The project uses single-line references to Unique License Identifiers as defined by the Linux Foundation's SPDX project on its own source files, but not necessarily imported files. The line in each individual source file identifies the license applicable to that file.
The current set of valid, predefined SPDX identifiers can be found on the SPDX License List at: