ostree signing EC25519 key generation

[jbtrystram]

hi everyone !

I am trying to setup a POC for composeFS signing in coreos-assembler but I am hitting an error : Ill-formed input: expected 69 bytes, got 64 bytes" .

I am trying to do

ostree commit --generate-composefs-metadata --sign-from-file /srv/cosa-sign-64 \
    --repo="${tmprepo}" --branch="${buildid}" --parent="${commit}"

I tried a couple of ways to generate the Ed25519 private key, taking inspiration from the tests but still hitting the same issue.

The spec seems to say Ed25519 keys should always be 64 bytes so I am a bit confused. ostree sign man page says a base64 key is expected but I can't get find the correct combination of commands to form a key to be accepted by ostree.

Here are a few combinations I tried based on this test file:

# Generate the key
openssl genpkey -algorithm ed25519 -out $KEY_NAME

openssl pkey -in $KEY_NAME -outform DER | tail -c 32 | base64 > $KEY_NAME.ed25519
openssl pkey -in $KEY_NAME -outform DER | base64 > $KEY_NAME.ed25519

Is there an example somewhere ?

[jbtrystram]

Ok solved, here is what works for me :

# Generate the key
openssl genpkey -algorithm ed25519 -outform PEM -out $KEY_FILE

# Extract the pubkey 
PUBKEY="$(openssl pkey -outform DER -pubout -in ${KEY_FILE} | tail -c 32 | base64)"

## write the pubkey in overrides
echo $PUBKEY > overrides/rootfs/etc/ostree/initramfs-root-binding.key

# Convert the private key to base64 for ostree signing 
## Extract the seed
SEED="$(openssl pkey -outform DER -in ${KEY_FILE} | tail -c 32 | base64)"
## Secret key is concantination of SEED and PUBLIC
echo ${SEED}${PUBKEY} | base64 -d | base64 -w 0 > ${KEY_FILE}.ed25519