OSTree commit sign/verify with OpenSSL command with ed25519 Private key

[bhaijiyunus]

Hi,

I am new to OSTree & looking for help in understanding how OSTree commits gets signed. I have few questions regarding what all possible ways to sign the OSTree commits. I am using Yocto build system to create the embedded Linux. After build I can see ostree-repo is getting created.

Signing with OpenSSL:

• Does OSTree sign the commits during the build time or do we need to sign after the build?
• Is it possible to sign the ostree commit(after build) using the OpenSSL command just like we sign the data/file/binaries?
• Can we sign the commits with private key's stored on external 3rd party HSM using the OpenSSL command?
• How we can verify the signed images on device using OpenSSL command?

For testing purpose I created local ed25519 keys & trying to sign the commit with OpenSSL command
openssl genpkey -algorithm ed25519 -outform PEM -out ed25519.pem

Any example for signing the ostree commit will be helpful. Please provide your suggestions & valuable inputs.

Thanks,
jbhaijy

[dbnicholson]

You can either create the signature during the commit ostree commit --sign or after the commit ostree sign. In both cases the signature is in the commit's detached metadata. The signature during commit is just a convenience.

For example, using ostree commit, ostree commit --sign-from-file=/path/to/base64/encoded/private/key. Or, using ostree sign, ostree sign --keys-file=/path/to/base64/encoded/private/key $commit_id.

There are 2 ways ed25519 signatures are made.

1. Using libsodium
2. Using OpenSSL

In theory, 2 is what you want. Unfortunately, the only way presently to load the private key is from data provided to the OSTree API.

It would be pretty difficult to generate the signature without the OSTree API. In theory if you got the correct data (I believe it's just the raw .commit object, but there might be more to it), you could create the signature with the openssl CLI. The internal code uses EVP_DigestSign, and I assume you can basically do the same with the dgst command. However, you would then need to assemble the signature into the correct format to add to the detached metadata (.commitmeta) object. It would be possible, but you'd be getting into ostree internals.

I don't think using an HSM is possible at present. OSTree only allows signing with a raw private key, so you'd need to have the HSM export the private key. Most HSMs don't let you do that since it would kinda defeat the purpose.

[bhaijiyunus]

Hi @dbnicholson,

Our Yocto build using ostree version 2021.6. And on my Ubuntu VM I am using ostree version 2022.2 for signing & testing the ostree commits with ed25519 private/public key.

Just to understand ostree signing part, On my VM I created a dummy repo & created a ed25519 keypair, With the help of OpenSSL command I am able to sign the .commit & also signature.bin gets verified with OpenSSL command. But when I try to add signture.bin using ostree command into .commit, it gives me error. Below is the each steps which I done on my VM.

I don't see .commitmeta in my repo directory. Please help me where I am doing wrong & why I am getting the error while adding signature in .commit.

My final goal is to sign the ostree commit with the ed25519 key & the commit should get verified on the client(device) with its respective public key.

Thanks,
jbhaijy