Ssh_signature - pure Erlang implementation of SSH signatures

hauleth · August 20, 2022, 2:48pm

OpenSSH some time ago learned how to sign arbitrary data. Since then some other tools learned how to utilise such signatures (for example Git, but GitHub do not support them yet). This library provides 2 functions that allows you to create such signatures from Erlang with ease:

key = :public_key.generate_key({rsa, 4096, 65537})
data = "my arbitrary data"
namespace = "text"

signature = :ssh_signature.sign(data, key, namespace)

{:ok, result} = :ssh_signature.verify(signature, data)
# Here you need to check that `result.public_key` and `result.namespace` are what you expect

Source available at

lud · August 24, 2022, 1:11pm

I have been using :public_key.sign(payload, :sha512, prk) to sign payloads sent to customer webhooks. What is the format of the data used here (with namespace)?

Edit: I was thinking “SSL” and not “SSH”. When you refer to Git, are you talking about signing commits (and signed+annotated tags)?

hauleth · August 24, 2022, 2:31pm

The format used is SSH signature, there is protocol description

Indeed. Here is article that describe how to do it and it seems that GitHub recently added support for verifying these in their UI.

lud · August 24, 2022, 5:42pm

Thanks!