Skip to content
This repository has been archived by the owner on Mar 16, 2024. It is now read-only.

Not able to sign images using openssh keys. #2063

Open
sangee2004 opened this issue Aug 14, 2023 · 3 comments
Open

Not able to sign images using openssh keys. #2063

sangee2004 opened this issue Aug 14, 2023 · 3 comments
Assignees
@cjellick @iwilltry42
Milestone
Backlog

Comments

@sangee2004
Copy link
Contributor

sangee2004 commented Aug 14, 2023
edited

Acorn version - v0.8.0-rc4+b6a95e8a

Steps to reproduce the problem:

Scenario1:

  1. Generate keys with ssh-keygen -t rsa
    Try to sign an image with any of the above keys

acorn image sign sangeetha/myfirstacorn:v0.0.4 --key <private key>

acorn image sign sangeetha/myfirstacorn:v0.0.4 --key sangeegh1
  •  Signing Image sangeetha/myfirstacorn:v0.0.4 (digest: index.docker.io/sangeetha/myfirstacorn@sha256:a6e655dab6d39796d297a1b8445c549594ae19a5874e1edb287622490df41833) using key sangeegh1
? Enter password for private key sangeegh1: *********
  ✗  ERROR:  unsupported private key
  1. Generate keys with ssh-keygen -t rsa -m pem
acorn image sign sangeetha/myfirstacorn:v0.0.4 --key sangeepem
  •  Signing Image sangeetha/myfirstacorn:v0.0.4 (digest: index.docker.io/sangeetha/myfirstacorn@sha256:a6e655dab6d39796d297a1b8445c549594ae19a5874e1edb287622490df41833) using key sangeepem
? Enter password for private key sangeepem: *********
  ✗  ERROR:  error parsing rsa private key: asn1: structure error: tags don't match (16 vs {class:0 tag:11 length:79 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2
  1. Generate keys with ssh-keygen -t ed25519
 acorn image sign sangeetha/myfirstacorn:v0.0.4 --key sangeeed
  •  Signing Image sangeetha/myfirstacorn:v0.0.4 (digest: index.docker.io/sangeetha/myfirstacorn@sha256:a6e655dab6d39796d297a1b8445c549594ae19a5874e1edb287622490df41833) using key sangeeed
? Enter password for private key sangeeed: ********
  ✗  ERROR:  unsupported private key

Note - I am able to sign images successfully using keys generated by cosign . But I am not allowed to store these keys in github.
@sangee2004 sangee2004 added this to the v0.8.0 milestone Aug 14, 2023
@iwilltry42 iwilltry42 self-assigned this Aug 15, 2023
@iwilltry42 iwilltry42 mentioned this issue Aug 17, 2023
Merged
7 tasks
@sangee2004 sangee2004 mentioned this issue Aug 21, 2023
Closed
iwilltry42 added a commit that referenced this issue Aug 23, 2023
@iwilltry42
add: support OpenSSH format private keys for signing (#2063) (#2088)
3cb7eac
@sangee2004
Copy link
Contributor Author

Tested with acorn version - acorn version v0.8.0-rc4-58-gbe49d0bd+be49d0bd

I am not able to sign using openssh keys

  1. Generate keys with ssh-keygen -t rsa
acorn image sign sangeetha/myfirstacorn:v0.0.4 --key sangeegh1
  •  Signing Image sangeetha/myfirstacorn:v0.0.4 (digest: index.docker.io/sangeetha/myfirstacorn@sha256:a6e655dab6d39796d297a1b8445c549594ae19a5874e1edb287622490df41833) using key sangeegh1
? Enter password for private key sangeegh1: *********
  ✗  ERROR:  decrypt: encrypted: unexpected kdf parameters
  1. Generate keys with ssh-keygen -t rsa -m pem
% acorn image sign sangeetha/myfirstacorn:v0.0.4 --key sangeepem
  •  Signing Image sangeetha/myfirstacorn:v0.0.4 (digest: index.docker.io/sangeetha/myfirstacorn@sha256:a6e655dab6d39796d297a1b8445c549594ae19a5874e1edb287622490df41833) using key sangeepem
? Enter password for private key sangeepem: *********
  ✗  ERROR:  error parsing rsa private key: asn1: structure error: tags don't match (16 vs {class:0 tag:11 length:79 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2
  1. Generate keys with ssh-keygen -t ed25519
% acorn image sign sangeetha/myfirstacorn:v0.0.4 --key sangeeed 
  •  Signing Image sangeetha/myfirstacorn:v0.0.4 (digest: index.docker.io/sangeetha/myfirstacorn@sha256:a6e655dab6d39796d297a1b8445c549594ae19a5874e1edb287622490df41833) using key sangeeed
? Enter password for private key sangeeed: ********
  ✗  ERROR:  decrypt: encrypted: unexpected kdf parameters

@cjellick cjellick modified the milestones: v0.8.0, Backlog Aug 25, 2023
@iwilltry42 iwilltry42 mentioned this issue Sep 6, 2023
Merged
7 tasks
iwilltry42 added a commit that referenced this issue Sep 6, 2023
@iwilltry42
Fix: Importing Private Keys (SSH Keys) for signing and deny them for …
47d1a71 
…verification (#2063 + #2115) (#2145)
@sangee2004
Copy link
Contributor Author

sangee2004 commented Sep 7, 2023
edited

Tested with acorn version -v0.8.0-13-gab9787b8+ab9787b8

Able to sign with the following 2 keys successfully:

  1. Generated keys generated with ssh-keygen -t rsa
  2. Generate keys with ssh-keygen -t ed25519

Still not able sign with keys generated using ssh-keygen -t rsa -m pem

acorn image sign sangeetha/myfirstacorn:v0.0.4 --key sangeepem
  •  Signing Image sangeetha/myfirstacorn:v0.0.4 (digest: index.docker.io/sangeetha/myfirstacorn@sha256:a6e655dab6d39796d297a1b8445c549594ae19a5874e1edb287622490df41833) using key sangeepem
? Enter password for private key sangeepem: *********
  ✗  ERROR:  failed to import private key: error parsing rsa private key: asn1: structure error: tags don't match (16 vs {class:0 tag:11 length:79 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @hub-e2e

@iwilltry42
Copy link
Contributor

iwilltry42 commented Sep 8, 2023
edited

So far, we're able to sign with

  • RSA
  • ECDSA
  • ED25519
  • OPENSSH
  • COSIGN/SIGSTORE
    keys.
    For reference: cosign only supports COSIGN/SIGSTORE and requires initial transformation to support RSA/ECDSA/ED25519 formats by default.

I think we're good like this and shouldn't block this on the alternative/optional PEM format output 👍

WDYT @cjellick ?

cloudnautique pushed a commit to cloudnautique/runtime that referenced this issue Sep 28, 2023
@iwilltry42 @cloudnautique
add: support OpenSSH format private keys for signing (acorn-io#2063) (a…
5be9afa 
…corn-io#2088)
cloudnautique pushed a commit to cloudnautique/runtime that referenced this issue Sep 28, 2023
@iwilltry42 @cloudnautique
Fix: Importing Private Keys (SSH Keys) for signing and deny them for …
a0f2d21 
…verification (acorn-io#2063 + acorn-io#2115) (acorn-io#2145)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@cjellick cjellick

@iwilltry42 iwilltry42

Labels
None yet
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@cjellick @iwilltry42 @sangee2004