Add print fingerprint via -F feature

[aparcar]

To know the fingerprint used for a sec/pub/sig the option -F is added
which works in combination with -s, -p or -x. It will load the
file and and print the used fingerprint in hex.

This feature was ported over from OpenWrt's usign0, which is a slimmed
simpler implementation of signify.

Signed-off-by: Paul Spooren [email protected]

[aparcar]

OpenWrt package manager and sysupgrade functionality relies on usign which is a slimmed version of signify. There are currently some efforts to use signify instead.

The OpenWrt build system currently requires a fingerprint feature which was added to usign, however is lacking for signify.

[aparcar]

Any chance to get a comment on this?

[marcusmueller]

Any chance to get a comment on this?

You should! To make this a bit easier for me, this is a change that diverges from upstream OpenBSD, right? Is upstream aware, what do they think?

[aparcar]

Well I tried to make upstream aware of this by sending it to the "official" looking github mirror.

[aperezdc]

@aparcar In this case “upstream” would be the OpenBSD project. The goal of this project here in GitHub is to take OpenBSD's code and make it buildable on GNU/Linux and possibly other systems. The best way to get the feature added would be submitting a diff to the [email protected] mailing list (more here) explaining how the feature is useful.

Now, regarding the patch itself, the added code looks good to me and it is small, so if the OpenBSD folks think the feature is interesting I suppose that it may not be difficult to get it added 😃

What do you think about trying to submit it to OpenBSD? If the patch does not get accepted by them, then I can reconsider maintaining the patch here myself, but I would rather do that as the second option.

[stokito]

Are the fingerprints are important? The pub keys are so small that we may use them directly.
The fingerprint in usign is 8 bytes e.g. 16 hex.
The whole ed25519 pub key is 32 bytes e.g. 64 hex or 44 in b64.
The typical RSA fingerprint is 34 hex.

[aparcar]

I guess we stick with usign for now until we either switch to something based on a SSL library which now ship with OpenWrt anyway or find something with PQC features. Closing this.

[stokito]

@aparcar we can use the PKCS#7 detached signatures and .p7s files (same as in S/MIME). The ed25519 is supported there.

It still not so widely supported, but this is a standard.
We can use OpenSSL to sign and verify with openssl cms. Still the openssl-tools is complicated may be a too big dependency for routers so maybe a custom tool can be used instead.
On a desktop users can sign/verify with Kleopatra.

Other alternatives are:

• GnuPG gpgv - a short version of GPG with only sig veryfying.
• OpenSSH sign/verify but it's really badly designed and not used by anyone.