tkey-sign creates and verifies cryptographic signatures of files.
The signature is created by the signer device
app running on the
Tillitis TKey. The signer is automatically
loaded into the TKey by tkey-sign when signing or extracting the
public key. The measured private key never leaves the TKey.
See Release notes.
Get a public key, possibly modifying the key pair by using a User
Supplied Secret, and storing the public key in file -p pubkey.
tkey-sign -G/--getkey [-d/--port device] [-s/--speed speed]
[--uss] [--uss-file secret-file] -p/--public pubkey
Sign a file, specified with -m message, possibly modifying the
measured key pair by using a User Supplied Secret, and storing the
signature in -x sigfile or, by default, in message.sig. You need
to supply the public key file as well which tkey-sign will
automatically verify that it's the expected public key.
tkey-sign -S/--sign [-d/--port device] [-s speed] -m message
[--uss] [--uss-file secret-file] -p/--public pubkey [-x sig-file]
Verify a signature of file -m message with public key in -p pubkey.
Signature is by default in message.sig but can be specified
with -x sigfile. Doesn't need a connected TKey.
tkey-sign -V/--verify -m message -p/--public pubkey [-x sigfile]
Alternatively you can use OpenBSD's signify(1) to verify the signature but you need to compute the SHA-512 of the file first and feed that to the verification. We provide a handy script that does this:
signify-verify message pubkey
Exit code is 0 on success and non-zero on failure.
See the manual page for details.
All examples either load the device app automatically or works with an already loaded device app.
Store the public key in a file.
$ tkey-sign -G -p key.pub
Sign a file using the signer's basic secret or the identity of an already loaded signer while also checking that you have the right public key in a file:
$ tkey-sign -S -m message.txt -p key.pub
Verify a signature over a message file with the signature in the default "message.txt.sig" file:
$ tkey-sign -V -p key.pub -m message.txt
or
$ signify-verify message.txt key.pub
Signature Verified
$
The easiest way is to:
$ go install github.com/tillitis/tkey-sign-cli/cmd/tkey-sign@latest
After this the tkey-sign command should be available in your
$GOBIN directory.
Note that this doesn't set the version and other stuff you get if you
use make.
If you have Go and make installed, a simple:
$ make
or, for a Windows executable,
$ make tkey-sign.exe
should build tkey-sign. A pre-compiled signer device app binary is
included in the repo and will be automatically embedded.
Cross compiling the usual Go way with GOOS and GOARCH environment
variables works for most targets but currently doesn't work for
GOOS=darwin since the go.bug.st/serial package relies on macOS
shared libraries for port enumeration.
If you want to use the tkey-builder image and you have make you can
run:
$ podman pull ghcr.io/tillitis/tkey-builder:4
$ make podman
or run tkey-builder directly with Podman:
$ podman run --rm --mount type=bind,source=$(CURDIR),target=/src -w /src -it ghcr.io/tillitis/tkey-builder:4 make -j
Note that building with Podman by default creates a Linux binary. Set
GOOS and GOARCH with -e in the call to podman run to desired
target. Again, this won't work with a macOS target.
You can install tkey-sign and reload the Linux udev rules to get
access to the TKey with:
$ sudo make install
$ sudo make reload-rules
You should be able to build a binary that is a exact copy of our release binaries if you use the same Go compiler, at least for the statically linked Linux and Windows binaries.
Please see the official releases for digests and details about the build environment.
For convenience, and to be able to support go install the signer
device app binary is included in cmd/tkey-sign.
If you want to replace the signer used you have to:
- Compile your own signer and place it in
cmd/tkey-sign. - Change the path to the embedded signer in
cmd/tkey-sign/main.go. Look forgo:embed.... - Change the
appNamedirectly under thego:embedto whatever your signer is called, so the agent reports this correctly with--version. - Compute a new SHA-512 hash digest for your binary, typically by
something like
sha512sum cmd/tkey-sign/signer.bin-v0.0.7and put the resulting output in the filesigner.bin.sha512at the top level. makein the top level.
- See the Devoloper Handbook for setup of development tools. We recommend you use tkey-builder.
- See the instructions in the tkey-device-signer repo.
- Copy its
signer/app.bintocmd/tkey-sign/signer.bin-${signer_version}and runmake.
To help prevent unpleasant surprises we keep a digest of the signer in
cmd/tkey-ssh-agent/signer.bin.sha512. The compilation will fail if
this is not the expected binary. If you really intended to build with
another signer, see Building with another
signer above.
Unless otherwise noted, the project sources are licensed under the terms and conditions of the "GNU General Public License v2.0 only":
Copyright Tillitis AB.
These programs are free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 2 only.
These programs are distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see:
See LICENSE for the full GPLv2-only license text.
External source code we have imported are isolated in their own
directories. They may be released under other licenses. This is noted
with a similar LICENSE file in every directory containing imported
sources.
The project uses single-line references to Unique License Identifiers as defined by the Linux Foundation's SPDX project on its own source files, but not necessarily imported files. The line in each individual source file identifies the license applicable to that file.
The current set of valid, predefined SPDX identifiers can be found on the SPDX License List at: