diff --git a/README.md b/README.md index 87687df..5d504d1 100644 --- a/README.md +++ b/README.md @@ -18,8 +18,13 @@ sh scripts/keygen.sh ``` This creates: -- `~/.keys/.key` — private key, keep secret -- `developers/.pub` — public key, commit to this repo +- `~/.keys/.key` — private key PEM, keep secret +- `~/.keys/.key.pub` — SSH public key (OpenSSH format) +- `developers/.pub` — raw base64 public key, commit to this repo + +**One key, two uses:** +- Release signing: `developers/.pub` embedded in binaries via ldflags +- SSH access to debug LiveCD: `~/.keys/.key.pub` auto-loaded by `build-debug.sh` Then commit and push the `.pub` file. Next project release will include your key. diff --git a/scripts/keygen.sh b/scripts/keygen.sh index 9063cff..47dc6bf 100755 --- a/scripts/keygen.sh +++ b/scripts/keygen.sh @@ -1,14 +1,16 @@ #!/bin/sh -# keygen.sh — generate an Ed25519 keypair for signing release binaries +# keygen.sh — generate an Ed25519 keypair for signing release binaries and SSH access # # Usage: # sh scripts/keygen.sh # # Output: -# ~/.keys/.key — private key (KEEP SECRET, never commit) -# developers/.pub — public key (safe to commit here) +# ~/.keys/.key — private key PEM (KEEP SECRET, never commit) +# ~/.keys/.key.pub — SSH public key (OpenSSH format, for authorized_keys) +# developers/.pub — raw base64 public key (for binary signing, commit this) # -# Requirements: openssl 3.x +# The same key is used for both release signing and SSH access to debug LiveCD. +# Requirements: openssl 3.x, python3 set -e @@ -35,15 +37,49 @@ chmod 700 "$HOME/.keys" openssl genpkey -algorithm ed25519 -out "$PRIVATE_KEY_PATH" chmod 600 "$PRIVATE_KEY_PATH" -# Extract raw 32-byte public key and base64-encode it +SSH_PUB_PATH="${HOME}/.keys/${NAME}.key.pub" + +# Extract raw 32-byte public key and base64-encode it (for release signing) openssl pkey -in "$PRIVATE_KEY_PATH" -pubout -outform DER \ | tail -c 32 \ | base64 > "$PUBLIC_KEY_PATH" -echo "Private key: $PRIVATE_KEY_PATH (DO NOT share or commit)" -echo "Public key: $PUBLIC_KEY_PATH (commit this to the keys repo)" +# Export OpenSSH public key (for authorized_keys / SSH access to debug LiveCD) +# openssl can write SSH format directly in 3.x +openssl pkey -in "$PRIVATE_KEY_PATH" -pubout -outform PEM \ + | python3 - "$NAME" "$SSH_PUB_PATH" <<'PYEOF' +# Convert OpenSSH-compatible PEM public key to authorized_keys line format +import sys, base64, struct, hashlib + +name = sys.argv[1] +out_path = sys.argv[2] +pem_lines = sys.stdin.read().strip().splitlines() +der = base64.b64decode("".join(pem_lines[1:-1])) + +# Ed25519 DER SubjectPublicKeyInfo: last 32 bytes are the raw key +raw = der[-32:] + +# Build OpenSSH wire format: length-prefixed "ssh-ed25519" + length-prefixed key +def pack(b): + return struct.pack(">I", len(b)) + b + +wire = pack(b"ssh-ed25519") + pack(raw) +b64 = base64.b64encode(wire).decode() +line = f"ssh-ed25519 {b64} {name}\n" + +with open(out_path, "w") as f: + f.write(line) +print(f"SSH public key: {out_path}") +PYEOF + +chmod 600 "$SSH_PUB_PATH" + +echo "Private key: $PRIVATE_KEY_PATH (DO NOT share or commit)" +echo "Signing pub key: $PUBLIC_KEY_PATH (commit this to the keys repo)" +echo "SSH pub key: $SSH_PUB_PATH (add to LiveCD authorized_keys)" echo "" echo "Next steps:" echo " 1. git add developers/${NAME}.pub && git commit -m 'add ${NAME} public key'" echo " 2. git push" echo " 3. Rebuild any release binaries to include the new key" +echo " 4. To SSH into debug LiveCD: sh iso/builder/build-debug.sh --authorized-keys ${SSH_PUB_PATH}"