ssh sig check

s

The sender needs to do this:

Create a file /tmp/attest with something like "blah", then sign it with:

openssl dgst -sha512 -sign ~/.ssh/id_rsa /tmp/attest > /tmp/attest.sig

then base64-encode the sig and the attest file:
base64 /tmp/attest >/tmp/attest.b64
base64 /tmp/attest.sig >/tmp/attest.sig.b64

generate checksums:
sha512sum attest* > checksums

And send the attest.b64, attest.sig.b64, and checksums files.


The Launchpad verifier does:

curl https://launchpad.net/~whoever/+sshkeys | grep "[email protected]"
> /tmp/who.pub
ssh-keygen -e -f /tmp/who.pub -m pkcs8 > /tmp/who.openssl.pub

openssl dgst -sha512 -verify /tmp/who.openssl.pub -signature /tmp/attest.sig
/tmp/attest

Example with A single script:

#!/bin/bash
KEY_ON_DISK=~/.ssh/id_rsa.canonical
LAUNCHPAD_USER=roadmr
KEY_IDENTIFIER="Canonical work key"
KEY_EXCLUDER="sonar"

mkdir ssh-attestation
pushd ssh-attestation

# Signing procedure
echo "This is me" > attest
openssl dgst -sha512 -sign $KEY_ON_DISK attest > attest.sig
base64 attest > attest.b64
base64 attest.sig > attest.sig.b64
sha512sum attest* > shasums

# Verification procedure
echo "Verifying"
sha512sum -c shasums
# Brittle - maybe select by line number instead?
curl "https://launchpad.net/~$LAUNCHPAD_USER/+sshkeys" | grep "$KEY_IDENTIFIER" | grep -v "$KEY_EXCLUDER" > lp-key.pub
ssh-keygen -e -f lp-key.pub -m pkcs8 > lp-key.openssl.pub
openssl dgst -sha512 -verify lp-key.openssl.pub -signature attest.sig attest
popd