sign

Documentation

Overview

Package sign provides raw Ed25519 signing and verification with detached signature files.

Index

• func Sign(data []byte, priv keys.PrivateKey) (string, error)
• func SignFile(path string, priv keys.PrivateKey) (string, error)
• func Verify(data []byte, sig string, pub keys.PublicKey) (bool, error)
• func VerifyWithRotation(data []byte, sig string, ks keystore.Keystore, name string, passphrase []byte) (bool, error)
• func WriteManifest(m Manifest, dest string) error
• func WriteSigFile(path string, sig string, pubFingerprint string) error
• type Manifest
  • func BatchSign(paths []string, priv keys.PrivateKey, pub keys.PublicKey) (Manifest, error)
  • func ReadManifest(path string) (Manifest, error)
• type ManifestEntry
• type VerifyResult
  • func VerifyManifest(m Manifest) ([]VerifyResult, error)

Functions

func Sign

func Sign(data []byte, priv keys.PrivateKey) (string, error)

Sign signs data with the given private key and returns a base64-encoded signature.

func SignFile

func SignFile(path string, priv keys.PrivateKey) (string, error)

SignFile reads the file at path and returns a base64-encoded signature over its contents.

func Verify

func Verify(data []byte, sig string, pub keys.PublicKey) (bool, error)

Verify decodes a base64-encoded signature and verifies it against data using the public key. Returns false (not an error) when the signature is valid but does not match.

func VerifyWithRotation

func VerifyWithRotation(data []byte, sig string, ks keystore.Keystore, name string, passphrase []byte) (bool, error)

VerifyWithRotation verifies sig against data using the named key from ks. It tries the current active key first, then each rotated key in rotation order (oldest first). Returns true on the first successful match. Returns false (without error) when the key is not found or no key matches the signature. The passphrase parameter is accepted for API symmetry with signing helpers but is not used during verification.

func WriteManifest

func WriteManifest(m Manifest, dest string) error

WriteManifest serialises m as JSON to dest.

func WriteSigFile

func WriteSigFile(path string, sig string, pubFingerprint string) error

WriteSigFile writes a detached signature file to {path}.sig containing the signature and the signer's public key fingerprint.

Types

type Manifest

type Manifest struct {
	Entries []ManifestEntry `json:"entries"`
}

Manifest holds the signed entries produced by BatchSign.

func BatchSign

func BatchSign(paths []string, priv keys.PrivateKey, pub keys.PublicKey) (Manifest, error)

BatchSign signs each file in paths, writes a .sig file alongside each, and returns a Manifest.

func ReadManifest

func ReadManifest(path string) (Manifest, error)

ReadManifest deserialises a Manifest from a JSON file at path.

type ManifestEntry

type ManifestEntry struct {
	Path        string `json:"path"`
	SHA256Hex   string `json:"sha256"`
	Signature   string `json:"signature"`
	PublicKey   string `json:"public_key"`
	Fingerprint string `json:"fingerprint"`
}

ManifestEntry records the path, content hash, Ed25519 signature, public key, and fingerprint for one file. The PublicKey field (OpenSSH authorized_keys format) is required so that VerifyManifest can verify signatures without any external key store.

type VerifyResult

type VerifyResult struct {
	Path string
	OK   bool
	Err  error
}

VerifyResult is the per-entry outcome from VerifyManifest.

func VerifyManifest

func VerifyManifest(m Manifest) ([]VerifyResult, error)

VerifyManifest re-reads each file referenced in m, verifies its SHA-256 hash and Ed25519 signature, and returns a per-entry result. A non-nil top-level error is returned only for structural problems; per-file failures appear as VerifyResult.OK == false.