Skip to content

add migrate_key cli script #658

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 22, 2023
Merged

add migrate_key cli script #658

merged 3 commits into from
Nov 22, 2023

Conversation

@lukpueh
Copy link
Member

@lukpueh lukpueh commented Oct 16, 2023
edited
Loading

This is in preparation for the removal of legacy key modules and formats, in favor of the new Signer API. It allows users to convert their old rsa, ed25519 and ecdsa key files, generated with the interface or keys module, and using an outdated standard or sslib proprietary format (see #309), to a consistent new standard format, which can be used with the file-based signer (CryptoSigner) of the new Signer API.

NOTE: The script uses legacy code and should thus be removed with them, from the repo tree, while remaining available to users of securesystemslib for some time. We could keep pointing to it in docs after its removal (users would need to check-out the repo at a specified tag), or move it to a different place.

Change details

  • Add cli script to convert key files.
  • Add private/private encrypted/public test key files for each supported algorithm in the legacy format. The key pairs were generated with interface, minimally modified to allow writing an encrypted and non-encrypted version of the same private key.
  • Add comprehensive tests, includes backwards/forward compatibility of signatures.

add migrate_key cli script
f2508fe 
This is in preparation for the removal of legacy key modules and
formats, in favor of the new Signer API. It allows users to convert
their old rsa, ed25519 and ecdsa key files, generated with the
`interface` or `keys` module, and using an outdated standard or sslib
proprietary format (see secure-systems-lab#309), to a consistent new standard format,
which can be used with the file-based signer (`CryptoSigner`) of the new
Signer API.

NOTE: The script uses legacy code and should thus be removed with them,
from the repo tree, while remaining available to users of
securesystemslib for some time.

We could keep pointing to it in docs after its removal (users would need
to check-out the repo at a specified tag), or move it to a different
place.

*Change details*
* Add cli script to convert key files.

* Add private/private encrypted/public test key files for each supported
  algorithm in the legacy format. **The key pairs were generated with
  `interface`, minimally modified to allow writing an encrypted and
  non-encrypted version of the same private key.

* Add comprehensive tests, includes backwards/forward compatibility of
  signatures.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
@jku
Copy link
Collaborator

jku commented Nov 13, 2023

I don't object to the functionality but I have some questions:

  • does this need to be part of the API? does it need to be part of the wheel or could it just be in git tree without getting packaged?
  • if it's a CLI script and should be part of the wheel, should it be packaged as script or entry_point (and so the module could be internal)

I'm a little surprised I can't get mypy to complain about the lack of typing (even if I add the file to the config) but I don't know if that's something you should spend time on...

@lukpueh
Copy link
Member Author

lukpueh commented Nov 13, 2023

  • does this need to be part of the API? does it need to be part of the wheel or could it just be in git tree without getting packaged?

Git tree only is fine. It certainly does not have to be part of the public API/CLI, or even packaged. I really just wanted to add it to the "securesystemslib" namespace, piggyback on its ci, and show that it passes at least once.

My idea was to tag it, remove it, but keep it in the docs for a while, including the tag at which it can be used.

In reality, the script is unlikely to have a lot of users, and it's simple enough, so I might as well just throw it in a personal gist. What do you think?

@jku
Copy link
Collaborator

jku commented Nov 13, 2023

I don't have strong opinions, any of those sounds fine. Could drop it in docs/ or examples/ as well 🤷 .

Move migrate_key script to docs/ dir
2c1bac8 
Script does not have to be part of the public API/CLI or be packaged.
Just want to have it in the repo and use existing CI.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
@lukpueh
Copy link
Member Author

lukpueh commented Nov 14, 2023

@jku, would you kindly approve?

I moved the script to docs/ and added a small pointer to README.

Mention migrate_keys script in README.md
d378d2e 
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
@lukpueh lukpueh force-pushed the add-key-migrate-cli branch from 2a4fbbb to d378d2e Compare November 14, 2023 15:53
@lukpueh lukpueh merged commit feb0c39 into secure-systems-lab:main Nov 22, 2023
@lukpueh lukpueh mentioned this pull request Nov 30, 2023
Merged
lukpueh pushed a commit to lukpueh/securesystemslib that referenced this pull request Apr 10, 2024
Remove migrate key script but keep link in README
82287e4 
In preparation for the removal of legacy key interfaces and formats
(secure-systems-lab#731), we provided a key file migration script in docs/ (secure-systems-lab#658).

The script itself uses the legacy interfaces and thus should be removed
from the current git tree together with them.

This patch removes the script, including tests and test data, but keeps
a tagged reference in the README, so that it can still be used with the
pre-legacy-removal version of securesystemslib.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
@lukpueh lukpueh mentioned this pull request Apr 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jku jku jku approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lukpueh @jku