(www.agwa.name)

637 points h1x | 3 comments | 13 Nov 21 09:13 UTC | HN request time: 0.202s | source

1. loloquwowndueo ◴[13 Nov 21 13:40 UTC] No.29209617[source]▶

This has been possible for a long time using a combination of OpenSSL and ssh.

To sign: openssl dgst -sha512 -sign ~/.ssh/id_rsa file > file.sig

To verify, needs converting the public key (who.pub) to something OpenSSL can grok:

ssh-keygen -e -f /tmp/who.pub -m pkcs8 > /tmp/who.openssl.pub

Then verify: openssl dgst -sha512 -verify /tmp/who.openssl.pub -signature file.sig file

replies(2): >>29212852 #>>29213117 #

2. stormbrew ◴[13 Nov 21 20:20 UTC] No.29212852[source]▶

>>29209617 (TP) #

What you get with this over monkeying around with openssl (other than having to deal with two tools with awful command line argument UX instead of just one) is that you can use ssh-agent to do the signing, which means you can also use tokens and such.

3. riedel ◴[13 Nov 21 20:58 UTC] No.29213117[source]▶

>>29209617 (TP) #

We use openssl to encrypt our passworddb using SSH pub keys. Works nice in scripts. Wonder why we need the new command line.

↑

Sign arbitrary data with your SSH keys