Query on Gitlab and Rocket Chat on Edgeless Systems

[prahaladd]

Hello Team,

I was reading through the blog post on Confidential Gitlab - https://www.edgeless.systems/resource-library/confidential-gitlab/. I need more clarity around the section "What about user connections?"
Within that section, it has been described to configure the git client with the following

    pinnedPubkey = sha256//aZTzzCepU+Sa34+xkqyFGiWXG+/yHtF6Q5AgMMAjHhs=

I have two questions:

• How do we obtain the pinnedPubkey for Gitlab?
• Is there a general set of steps that must be followed to obtain the pinned public key for any service? For e.g. a usage of a particular command line utility provided by Edgeless?

Also, I see that the blog post for Rocket Chat application gives a 404. Has the page been taken down?

Thank you in advance for your help on this matter

[derpsteb]

Hey @prahaladd,
thanks for your interest!

The value that goes into pinnedPubkey is the base64 encoded sha256 hash of the public key you want to pin. To generate the value you could do this:

$ echo | openssl s_client -servername gitlab.edgeless.systems -connect gitlab.edgeless.systems:443 | openssl x509 -pubkey -noout > pubkey
$ cat pubkey | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
SdZHpn0+6Wwd6Q5dgs2u60IGADQJfipSePJOkLZHjU0=

The first command downloads the certificate, parses the public key and writes it into the file pubkey. The second command generates the sha256 digest of the public key and encodes it in base64.

You can follow these steps to collect the public key for any service available over TLS. How you pin the public key depends on the application you are using. For git it is config.pinnedPubkey, for an Android app it will be a different story.

We are looking into the rocket chat deployment.

Hope that helps!