Now we have all the commands to generate the key hierarchy and verify
that signing keys were signed correctly:
```
$ ./tool/go run ./cmd/dist gen-key --priv-path root-priv.pem --pub-path root-pub.pem --root
wrote private key to root-priv.pem
wrote public key to root-pub.pem
$ ./tool/go run ./cmd/dist gen-key --priv-path signing-priv.pem --pub-path signing-pub.pem --signing
wrote private key to signing-priv.pem
wrote public key to signing-pub.pem
$ ./tool/go run ./cmd/dist sign-key --root-priv-path root-priv.pem --sign-pub-path signing-pub.pem
wrote signature to signature.bin
$ ./tool/go run ./cmd/dist verify-key-signature --root-pub-path root-pub.pem --sign-pub-path signing-pub.pem --sig-path signature.bin
signature ok
```
Updates #8760
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
returnfmt.Errorf("signature %q for key %q does not validate with the current release signing key; either you are under attack, or attempting to download an old version of Tailscale which was signed with an older signing key",sigURL,srcURL)
returnfmt.Errorf("signature %q for key %q does not validate with the current release signing key; either you are under attack, or attempting to download an old version of Tailscale which was signed with an older signing key",sigURL,srcURL)
returnnil,fmt.Errorf("signature %q for key %q does not validate with any known root key; either you are under attack, or running a very old version of Tailscale with outdated root keys",sigURL,keyURL)
returnnil,fmt.Errorf("signature %q for key %q does not validate with any known root key; either you are under attack, or running a very old version of Tailscale with outdated root keys",sigURL,keyURL)
}
}
keys,err:=parseSigningKeyBundle(raw)
keys,err:=ParseSigningKeyBundle(raw)
iferr!=nil{
iferr!=nil{
returnnil,fmt.Errorf("cannot parse signing key bundle from %q: %w",keyURL,err)
returnnil,fmt.Errorf("cannot parse signing key bundle from %q: %w",keyURL,err)
fs.StringVar(&signKeyArgs.rootPrivPath,"root-priv-path","root-private-key.pem","path to the root private key to sign with")
fs.StringVar(&signKeyArgs.signPubPath,"sign-pub-path","signing-public-keys.pem","path to the signing public key bundle to sign; the bundle should include all active signing keys")
fs.StringVar(&signKeyArgs.sigPath,"sig-path","signature.bin","oputput path for the signature")
returnfs
})(),
},
{
Name:"verify-key-signature",
Exec:func(ctxcontext.Context,args[]string)error{
returnrunVerifyKeySignature(ctx)
},
ShortUsage:"dist verify-key-signature",
ShortHelp:"Verify a root signture of the signing keys' bundle",
fs.StringVar(&verifyKeySignatureArgs.rootPubPath,"root-pub-path","root-public-key.pem","path to the root public key; this can be a bundle of multiple keys")
fs.StringVar(&verifyKeySignatureArgs.signPubPath,"sign-pub-path","","path to the signing public key bundle that was signed")
fs.StringVar(&verifyKeySignatureArgs.sigPath,"sig-path","signature.bin","path to the signature file")