forked from sigstore/cosign
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(docs): deprecates hardware tokens and PKCS11 docs (sigstore#2970)
Signed-off-by: ChrisJBurns <[email protected]>
- Loading branch information
1 parent
fc61f43
commit f6d8481
Showing
2 changed files
with
2 additions
and
358 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,96 +1 @@ | ||
# PKCS11 Tokens | ||
|
||
The `cosign` command line tool optionally supports PKCS11 tokens for signing. | ||
This support is enabled through the [crypto11](https://github.com/ThalesIgnite/crypto11) and the [pkcs11](https://github.com/miekg/pkcs11) libraries, which are not included in the standard release. Use [`make cosign-pivkey-pkcs11key`](https://github.com/sigstore/cosign/blob/a8d1cc1132d4a019a62ff515b9375c8c5b98a5c5/Makefile#L52), or `go build -tags=pkcs11key`, to build `cosign` with support for PKCS11 tokens. | ||
|
||
For the following examples, we have: | ||
|
||
```shell | ||
$ IMAGE=gcr.io/dlorenc-vmtest2/demo | ||
$ IMAGE_DIGEST=$IMAGE@sha256:410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd | ||
``` | ||
|
||
## Quick Start | ||
|
||
### Setup | ||
|
||
To get started, make sure you already have your PKCS11 module installed, and insert your PKCS11-compatible token. | ||
|
||
Then, run the command `cosign pkcs11-tool list-tokens` to get the slot id of your token, as follows : | ||
|
||
```shell | ||
$ cosign pkcs11-tool list-tokens --module-path /usr/local/lib/libp11.so | ||
Listing tokens of PKCS11 module '/usr/local/lib/libp11.so' | ||
Token in slot 1 | ||
Label: TokenLabel | ||
Manufacturer: Token Manufacturer | ||
Model: Token Model | ||
S/N: 68800ca5c75e074c | ||
``` | ||
|
||
Afterwards, run the command `cosign pkcs11-tool list-keys-uris` to retrieve the PKCS11 URI of the key you wish to use, as follows : | ||
|
||
```shell | ||
$ cosign pkcs11-tool list-keys-uris --module-path /usr/local/lib/libp11.so --slot-id 1 --pin 1234 | ||
Listing URIs of keys in slot '1' of PKCS11 module '/usr/local/lib/libp11.so' | ||
Object 0 | ||
Label: key_label_1 | ||
ID: 4a8d2f6ed9c4152b260d6c74a1ae72fcfdc64b65 | ||
URI: pkcs11:token=TokenLabel;slot-id=1;id=%4a%8d%2f%6e%d9%c4%15%2b%26%0d%6c%74%a1%ae%72%fc%fd%c6%4b%65?module-path=/usr/local/lib/libp11.so&pin-value=1234 | ||
Object 1 | ||
Label: key_label_2 | ||
ID: 57b39235cc6dec404c2310d7e37d5cbb5f1bba70 | ||
URI: pkcs11:token=TokenLabel;slot-id=1;id=%57%b3%92%35%cc%6d%ec%40%4c%23%10%d7%e3%7d%5c%bb%5f%1b%ba%70?module-path=/usr/local/lib/libp11.so&pin-value=1234 | ||
``` | ||
|
||
You can also construct the PKCS11 URI of your key manually by providing the following URI components : | ||
|
||
* **module-path** : the absolute path to the PKCS11 module **(optional)** | ||
|
||
* **token** and/or **slot-id** : either or both of the PKCS11 token label and the PKCS11 slot id **(mandatory)** | ||
|
||
* **object** and/or **id** : either or both of the PKCS11 key label and the PKCS11 key id **(mandatory)** | ||
|
||
* **pin-value** : the PIN of the PKCS11 token **(optional)** | ||
|
||
If `module-path` is not present in the URI, `cosign` expects the PKCS11 module path to be set using the environment variable `COSIGN_PKCS11_MODULE_PATH`. If neither are set, `cosign` will fail. If both are set, `module-path` has priority over `COSIGN_PKCS11_MODULE_PATH` environment variable. | ||
|
||
If `pin-value` is not present in the URI, `cosign` expects the PIN to be set using the environment variable `COSIGN_PKCS11_PIN`. If it is not, `cosign` checks whether the PKCS11 token requires user login (flag CKF_LOGIN_REQUIRED set), and if so, `cosign` will invite the user to enter the PIN only during signing. If both `pin-value` and `COSIGN_PKCS11_PIN` environment variable are set, `pin-value` has priority over `COSIGN_PKCS11_PIN`. | ||
|
||
### Signing | ||
|
||
You can then use the normal `cosign` commands to sign images and blobs with your PKCS11 key. | ||
|
||
```shell | ||
$ cosign sign --key "<PKCS11_URI>" $IMAGE_DIGEST | ||
Pushing signature to: gcr.io/dlorenc-vmtest2/demo:sha256-410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd.sig | ||
``` | ||
|
||
To verify, you can either use the PKCS11 token key directly: | ||
|
||
```shell | ||
$ cosign verify --key "<PKCS11_URI>" $IMAGE | ||
Verification for gcr.io/dlorenc-vmtest2/demo -- | ||
The following checks were performed on each of these signatures: | ||
- The cosign claims were validated | ||
- The signatures were verified against the specified public key | ||
- The code-signing certificate was verified using trusted certificate authority certificates | ||
|
||
[{"critical":{"identity":{"docker-reference":"gcr.io/dlorenc-vmtest2/demo"},"image":{"docker-manifest-digest":"sha256:410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd"},"type":"cosign container image signature"},"optional":null}] | ||
``` | ||
|
||
Or export the public key and verify against that: | ||
|
||
```shell | ||
$ cosign public-key --key "<PKCS11_URI>" > pub.key | ||
|
||
$ cosign verify --key pub.key $IMAGE_DIGEST | ||
Verification for gcr.io/dlorenc-vmtest2/demo -- | ||
The following checks were performed on each of these signatures: | ||
- The cosign claims were validated | ||
- The signatures were verified against the specified public key | ||
- The code-signing certificate was verified using trusted certificate authority certificates | ||
|
||
[{"critical":{"identity":{"docker-reference":"gcr.io/dlorenc-vmtest2/demo"},"image":{"docker-manifest-digest":"sha256:410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd"},"type":"cosign container image signature"},"optional":null}] | ||
|
||
``` | ||
> Note of deprecation: This document has been migrated into [`sigstore/docs`](https://github.com/sigstore/docs/blob/main/content/en/cosign/pkcs11.md) as part of [documentation migration](https://github.com/sigstore/cosign/issues/822) and PR: https://github.com/sigstore/docs/pull/129. To view the live docs page, go to: https://docs.sigstore.dev/cosign/pkcs11 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,262 +1 @@ | ||
# Hardware Tokens | ||
|
||
The `cosign` command line tool optionally supports hardware tokens for signing and key management. | ||
This support is enabled through the [PIV protocol](https://csrc.nist.gov/projects/piv/piv-standards-and-supporting-documentation) | ||
and the [go-piv](https://github.com/go-piv/piv-go) library, which is not included in the standard release. Use `make cosign-pivkey-pkcs11key`, or `go build -tags=pivkey,pkcs11key ./cmd/cosign`, to build `cosign` with support for hardware tokens. | ||
|
||
--- | ||
**NOTE** | ||
|
||
`cosign`'s hardware token support requires `libpcsclite` on platforms other than Windows and OSX. | ||
See [`go-piv`'s installation instructions for your platform.](https://github.com/go-piv/piv-go#installation) | ||
|
||
--- | ||
|
||
We recommend using an application provided by your hardware vendor to manage keys and permissions for advanced use-cases, but `cosign piv-tool` should work well for most users. | ||
|
||
The following exmamples use this image: | ||
|
||
```shell | ||
$ IMAGE=gcr.io/dlorenc-vmtest2/demo | ||
$ IMAGE_DIGEST=$IMAGE@sha256:410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd | ||
``` | ||
|
||
## Quick Start | ||
|
||
### Setup | ||
|
||
To get started, insert a key to your computer and run the `cosign piv-tool generate-key` command. | ||
We recommend using the `--random-management-key=true` flag. | ||
|
||
This command generates a cryptographically-random management key and configures the device to use it. | ||
This management key is destroyed, requiring a hardware reset to modify the signing key (this can be done with the `cosign piv-tool reset` command). | ||
|
||
A signing key is generated on the hardware, and the resulting attestations are printed to stdout. | ||
You do not need to save these, they can be retrieved later with the `cosign piv-tool attestation` command. | ||
|
||
```shell | ||
$ cosign piv-tool generate-key --random-management-key | ||
Resetting management key to random value. You must factory reset the device to change this value: y | ||
Generating new signing key. This will destroy any previous keys.: y | ||
Generated public key | ||
-----BEGIN PUBLIC KEY----- | ||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEbZHvZgxjkqWlY865CPlmAqjLK6y | ||
PhL+7MoxI3LLmO/gOhH8Q6elVcAZJgAUZY+GXlN0u1/TatI+sdw2DEQThw== | ||
-----END PUBLIC KEY----- | ||
|
||
Printing device attestation certificate | ||
-----BEGIN CERTIFICATE----- | ||
MIIC+jCCAeKgAwIBAgIJAJDjrwcvIYiiMA0GCSqGSIb3DQEBCwUAMCsxKTAnBgNV | ||
BAMMIFl1YmljbyBQSVYgUm9vdCBDQSBTZXJpYWwgMjYzNzUxMCAXDTE2MDMxNDAw | ||
MDAwMFoYDzIwNTIwNDE3MDAwMDAwWjAhMR8wHQYDVQQDDBZZdWJpY28gUElWIEF0 | ||
dGVzdGF0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyS4ANsMp | ||
RQA9cigP1oUG8yQ8tQkel2IergXvY9WSYy/muj30exFWXvO323i9RaQtoT7hOS5d | ||
SsH1hNvSTD56fIaKpg+8jHsQLM6mF2Jo0Kb4rBduYNi+waFbGcwgrmRX1d9NcYb6 | ||
UDJt0o0RW6aGPY6wqUvMlIj0EwNIN7Ct1wSjIdL1qFmyVwUkQkPDd/0jDv7giE0P | ||
M36qISQ6U8t2jNg5aWDEjf7wwWTIiMjbv0FaaiL5Vqmc7WboofKZN5nQyWGAtAtz | ||
jTXzSkBfNPDO1eAUgbCbmu5efD8WeAtiPQyz8zQDU5UyihmDUEF1Dgr9/QMtQ5bd | ||
Z+FkBTtBYFp4aQIDAQABoykwJzARBgorBgEEAYLECgMDBAMFAgYwEgYDVR0TAQH/ | ||
BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEAQutaY0Wf/o2MPyRmsMM1QQuX | ||
JI1ncaiDczWpFGj8YFUqlwLsEgYMzzGMrgPHIyE+CCgbYfyJu2mGU7goEHFq2/Ky | ||
i8mjJtk/nVMF/m+dD7zbLvXPU0f9BKdpm1LUjC/YscvkFuI+sFrZvk8e1DAM49D5 | ||
Dm3MsEw9KjGhhTSv8iMoz9QMN7O1ozfsLTkj5eJQFEzkeUtgPxoJVnJqd4JkqnhF | ||
ZoN7tG+9N6wouG5pCzOJDgraGwow11UdcheQze2SVktYcRdWVgr86YBiYdfAzkLz | ||
FN4tXEiGuQyX6gWKBdd91niHF27RIWNGuz6X9KzMwgJ374n2ld8BiLg9PU30xA== | ||
-----END CERTIFICATE----- | ||
|
||
Printing key attestation certificate | ||
-----BEGIN CERTIFICATE----- | ||
MIICVTCCAT2gAwIBAgIQARbGLrd6RGhDODMN+neZczANBgkqhkiG9w0BAQsFADAh | ||
MR8wHQYDVQQDDBZZdWJpY28gUElWIEF0dGVzdGF0aW9uMCAXDTE2MDMxNDAwMDAw | ||
MFoYDzIwNTIwNDE3MDAwMDAwWjAlMSMwIQYDVQQDDBpZdWJpS2V5IFBJViBBdHRl | ||
c3RhdGlvbiA5YzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBG2R72YMY5KlpWP | ||
OuQj5ZgKoyyusj4S/uzKMSNyy5jv4DoR/EOnpVXAGSYAFGWPhl5TdLtf02rSPrHc | ||
NgxEE4ejTjBMMBEGCisGAQQBgsQKAwMEAwUCBjAUBgorBgEEAYLECgMHBAYCBADH | ||
kP4wEAYKKwYBBAGCxAoDCAQCAwIwDwYKKwYBBAGCxAoDCQQBAzANBgkqhkiG9w0B | ||
AQsFAAOCAQEAesDBFM7J67HCaJ6YzF2Ztz9UwQWVVid9AXG0b3rTdDBUAm85I+9a | ||
zr8kS/adx2DKXQwQ2XTkSh4uMd4vVXMPr/MCiVzKzVnCgel1Fv97OaozpEicnTTn | ||
0/cvf6NSdFeRDL06NBphp3gdWEkvuTb0LmCKnCldKbtGllK6yfZ/kVZexdnUrFIi | ||
Hy45LclHKHKe3nveDD1WuGCpSABrxkx/BL/BNHB1y/gwiPHBFX+RShAtHwlW8uDK | ||
g/8KdqKm021Eq/NJ+3WxINbRLFgYx8b+jTc7TE6ASNSNnbeG9UYlJ8kzfVII6C/4 | ||
H0RutMyJMyduyT5c8F3OmDY5FDdX1F1VRQ== | ||
-----END CERTIFICATE----- | ||
|
||
Verifying certificates... | ||
Verified ok | ||
|
||
Device info: | ||
Issuer: CN=Yubico PIV Root CA Serial 263751 | ||
Form factor: unknown: 0 | ||
PIN Policy: Always | ||
Serial number: 10550341 | ||
Version: 4.4.5 | ||
``` | ||
|
||
### Signing | ||
|
||
You can then use the normal `cosign` commands to sign images and blobs with your security key and PIN. | ||
**NOTE**: The default PIN is `123456`. | ||
|
||
```shell | ||
$ cosign sign --sk $IMAGE_DIGEST | ||
Enter PIN for security key: | ||
Please tap security key... | ||
Pushing signature to: gcr.io/dlorenc-vmtest2/demo:sha256-410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd.sig | ||
``` | ||
|
||
To verify, you can either use the hardware key directly: | ||
|
||
```shell | ||
$ cosign verify --sk $IMAGE_DIGEST | ||
|
||
Verification for gcr.io/dlorenc-vmtest2/demo -- | ||
The following checks were performed on each of these signatures: | ||
- The cosign claims were validated | ||
- The signatures were verified against the specified public key | ||
- The code-signing certificate was verified using trusted certificate authority certificates | ||
|
||
[{"critical":{"identity":{"docker-reference":"gcr.io/dlorenc-vmtest2/demo"},"image":{"docker-manifest-digest":"sha256:410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd"},"type":"cosign container image signature"},"optional":null}] | ||
``` | ||
|
||
Or export the public key and verify against that: | ||
|
||
```shell | ||
$ cosign public-key --sk > pub.key | ||
|
||
$ cosign verify --key pub.key $IMAGE | ||
|
||
Verification for gcr.io/dlorenc-vmtest2/demo -- | ||
The following checks were performed on each of these signatures: | ||
- The cosign claims were validated | ||
- The signatures were verified against the specified public key | ||
- The code-signing certificate was verified using trusted certificate authority certificates | ||
|
||
[{"critical":{"identity":{"docker-reference":"gcr.io/dlorenc-vmtest2/demo"},"image":{"docker-manifest-digest":"sha256:410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd"},"type":"cosign container image signature"},"optional":null}] | ||
``` | ||
|
||
## CLI Usage | ||
|
||
### Setup | ||
|
||
The `cosign piv-tool reset` command will restore your device to factory defaults. | ||
This will **DESTROY** any keys on the device, you cannot recover them. | ||
|
||
The default management key, PIN and PUK will be configured after this command. | ||
|
||
The `cosign piv-tool generate-key` command is used to provision a key compatible with `cosign` and the rest of `sigstore`. | ||
We recommend using the `--random-management-key=true` flag. | ||
|
||
### Access Control | ||
|
||
The management-key, PIN and PUK can all be configured with the `set-management-key`, `set-pin` and `set-puk` commands. | ||
Leaving the `old-<type>` flag empty will result in the default value being used. | ||
|
||
The PIN is used for signing, so you should set that to a value you can remember. | ||
The PUK is used to reset the PIN in case you forget, without needing to regenerate the signing key. | ||
|
||
We recommend configuring these after the initial setup and key generation. | ||
|
||
## Tested Devices | ||
|
||
This set of commands has been tested against the following hardware: | ||
|
||
* YubiKey 5C | ||
* YuibiKey 5C Nano FIPS | ||
* YubiKey 4 Series | ||
|
||
**Note**: We aim to expand this list. | ||
If you have hardware and can test it out, please send a PR with your results! | ||
|
||
Tests can be run against a device with the following command. | ||
**WARNING**: These tests will destroy any keys on your device. | ||
|
||
```shell | ||
$ go test ./test -tags=resetyubikey,e2e -count=1 | ||
``` | ||
|
||
**WARNING**: These tests will destroy any keys on your device. | ||
|
||
## Attestations | ||
|
||
There are two attestations available from the hardware key. | ||
The first is the device attestation. | ||
This can be used to verify the hardware is authentic and came from the manufacturer. | ||
To verify this, retrieve the manufacturers CA. | ||
See [here](https://developers.yubico.com/yubico-piv-tool/Attestation.html) for instructions from Yubico. | ||
|
||
This certificate can be validated with `openssl` or other tooling: | ||
|
||
```shell | ||
# Obtained from https://developers.yubico.com/PIV/Introduction/piv-attestation-ca.pem | ||
$ echo '-----BEGIN CERTIFICATE----- | ||
MIIDFzCCAf+gAwIBAgIDBAZHMA0GCSqGSIb3DQEBCwUAMCsxKTAnBgNVBAMMIFl1 | ||
YmljbyBQSVYgUm9vdCBDQSBTZXJpYWwgMjYzNzUxMCAXDTE2MDMxNDAwMDAwMFoY | ||
DzIwNTIwNDE3MDAwMDAwWjArMSkwJwYDVQQDDCBZdWJpY28gUElWIFJvb3QgQ0Eg | ||
U2VyaWFsIDI2Mzc1MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMN2 | ||
cMTNR6YCdcTFRxuPy31PabRn5m6pJ+nSE0HRWpoaM8fc8wHC+Tmb98jmNvhWNE2E | ||
ilU85uYKfEFP9d6Q2GmytqBnxZsAa3KqZiCCx2LwQ4iYEOb1llgotVr/whEpdVOq | ||
joU0P5e1j1y7OfwOvky/+AXIN/9Xp0VFlYRk2tQ9GcdYKDmqU+db9iKwpAzid4oH | ||
BVLIhmD3pvkWaRA2H3DA9t7H/HNq5v3OiO1jyLZeKqZoMbPObrxqDg+9fOdShzgf | ||
wCqgT3XVmTeiwvBSTctyi9mHQfYd2DwkaqxRnLbNVyK9zl+DzjSGp9IhVPiVtGet | ||
X02dxhQnGS7K6BO0Qe8CAwEAAaNCMEAwHQYDVR0OBBYEFMpfyvLEojGc6SJf8ez0 | ||
1d8Cv4O/MA8GA1UdEwQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3 | ||
DQEBCwUAA4IBAQBc7Ih8Bc1fkC+FyN1fhjWioBCMr3vjneh7MLbA6kSoyWF70N3s | ||
XhbXvT4eRh0hvxqvMZNjPU/VlRn6gLVtoEikDLrYFXN6Hh6Wmyy1GTnspnOvMvz2 | ||
lLKuym9KYdYLDgnj3BeAvzIhVzzYSeU77/Cupofj093OuAswW0jYvXsGTyix6B3d | ||
bW5yWvyS9zNXaqGaUmP3U9/b6DlHdDogMLu3VLpBB9bm5bjaKWWJYgWltCVgUbFq | ||
Fqyi4+JE014cSgR57Jcu3dZiehB6UtAPgad9L5cNvua/IWRmm+ANy3O2LH++Pyl8 | ||
SREzU8onbBsjMg9QDiSf5oJLKvd/Ren+zGY7 | ||
-----END CERTIFICATE-----' > yubico.crt | ||
|
||
# Obtained from "cosign piv-tool attestation" (the first certificate) | ||
$ echo '-----BEGIN CERTIFICATE----- | ||
MIIC+jCCAeKgAwIBAgIJAJDjrwcvIYiiMA0GCSqGSIb3DQEBCwUAMCsxKTAnBgNV | ||
BAMMIFl1YmljbyBQSVYgUm9vdCBDQSBTZXJpYWwgMjYzNzUxMCAXDTE2MDMxNDAw | ||
MDAwMFoYDzIwNTIwNDE3MDAwMDAwWjAhMR8wHQYDVQQDDBZZdWJpY28gUElWIEF0 | ||
dGVzdGF0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyS4ANsMp | ||
RQA9cigP1oUG8yQ8tQkel2IergXvY9WSYy/muj30exFWXvO323i9RaQtoT7hOS5d | ||
SsH1hNvSTD56fIaKpg+8jHsQLM6mF2Jo0Kb4rBduYNi+waFbGcwgrmRX1d9NcYb6 | ||
UDJt0o0RW6aGPY6wqUvMlIj0EwNIN7Ct1wSjIdL1qFmyVwUkQkPDd/0jDv7giE0P | ||
M36qISQ6U8t2jNg5aWDEjf7wwWTIiMjbv0FaaiL5Vqmc7WboofKZN5nQyWGAtAtz | ||
jTXzSkBfNPDO1eAUgbCbmu5efD8WeAtiPQyz8zQDU5UyihmDUEF1Dgr9/QMtQ5bd | ||
Z+FkBTtBYFp4aQIDAQABoykwJzARBgorBgEEAYLECgMDBAMFAgYwEgYDVR0TAQH/ | ||
BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEAQutaY0Wf/o2MPyRmsMM1QQuX | ||
JI1ncaiDczWpFGj8YFUqlwLsEgYMzzGMrgPHIyE+CCgbYfyJu2mGU7goEHFq2/Ky | ||
i8mjJtk/nVMF/m+dD7zbLvXPU0f9BKdpm1LUjC/YscvkFuI+sFrZvk8e1DAM49D5 | ||
Dm3MsEw9KjGhhTSv8iMoz9QMN7O1ozfsLTkj5eJQFEzkeUtgPxoJVnJqd4JkqnhF | ||
ZoN7tG+9N6wouG5pCzOJDgraGwow11UdcheQze2SVktYcRdWVgr86YBiYdfAzkLz | ||
FN4tXEiGuQyX6gWKBdd91niHF27RIWNGuz6X9KzMwgJ374n2ld8BiLg9PU30xA== | ||
-----END CERTIFICATE-----' > device.crt | ||
|
||
$ openssl verify -CAfile yubico.crt device.crt | ||
device.crt: OK | ||
``` | ||
|
||
The key attestation can be used to verify that the signing key was generated on the device, not loaded from an external source. | ||
|
||
This can be verified against the device attestation cert, which forms a chain back to the manufacturer. | ||
|
||
```shell | ||
# Use the same crt files from the previous step, create the CA chain | ||
$ cat yubico.crt device.crt > chain.pem | ||
|
||
# This cert was obtained from "cosign piv-tool attestation", the second cert | ||
$ echo '-----BEGIN CERTIFICATE----- | ||
MIICVTCCAT2gAwIBAgIQARF+TvIOm46Oc+FF3+YHITANBgkqhkiG9w0BAQsFADAh | ||
MR8wHQYDVQQDDBZZdWJpY28gUElWIEF0dGVzdGF0aW9uMCAXDTE2MDMxNDAwMDAw | ||
MFoYDzIwNTIwNDE3MDAwMDAwWjAlMSMwIQYDVQQDDBpZdWJpS2V5IFBJViBBdHRl | ||
c3RhdGlvbiA5YzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBG2R72YMY5KlpWP | ||
OuQj5ZgKoyyusj4S/uzKMSNyy5jv4DoR/EOnpVXAGSYAFGWPhl5TdLtf02rSPrHc | ||
NgxEE4ejTjBMMBEGCisGAQQBgsQKAwMEAwUCBjAUBgorBgEEAYLECgMHBAYCBADH | ||
kP4wEAYKKwYBBAGCxAoDCAQCAwIwDwYKKwYBBAGCxAoDCQQBAzANBgkqhkiG9w0B | ||
AQsFAAOCAQEAeT5EXMm1PfVImtFinOPUsVY4tq2mPaZQ67//OiPisuSaF90YJIRJ | ||
PyndeKHDpscFwN1h8XhACb6e6XAyswB//qMdt+2VEeJCFatcuUHki4Vb8plRkZNU | ||
IDTbnZ3TnqY9eH4POmbHS9MmsDJPBFqCAvbX4hgHOiYmpim2tf4U562LMzpYU44c | ||
rb9ZMlAhjlOHgft02Gduv2DK1THfUacMYR1L0p9WgCaRKAlAWsvyl3Xmfjf3NRJT | ||
gzHKg/sREq1fns6kff5rj0kqZhuuhSYfOrhS3pRbMOEcKksymBwYbQpEgJYJndwO | ||
uCPMJZqsNyWMmfksjulR9XAQvBCImkXncw== | ||
-----END CERTIFICATE-----' > key.crt | ||
|
||
$ openssl verify -CAfile chain.pem key.crt | ||
key.crt: OK | ||
``` | ||
> Note of deprecation: This document has been migrated into [`sigstore/docs`](https://github.com/sigstore/docs/blob/main/content/en/cosign/hardware-based-tokens.md) as part of [documentation migration](https://github.com/sigstore/cosign/issues/822) and PR: https://github.com/sigstore/docs/pull/128. To view the live docs page, go to: https://docs.sigstore.dev/cosign/hardware-based-tokens |