mchus/keys
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
efba949afd1738271accf1b825c591e53870271f
keys/scripts/keygen.sh
Michael Chus efba949afd feat(keygen): export SSH public key alongside signing key 
Same Ed25519 key now serves dual purpose:
- Release binary signing (developers/<name>.pub raw base64)
- SSH access to debug LiveCD (~/.keys/<name>.key.pub OpenSSH format)

build-debug.sh auto-collects ~/.keys/*.key.pub into authorized_keys.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-05 10:42:42 +03:00

86 lines
2.8 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
# keygen.sh — generate an Ed25519 keypair for signing release binaries and SSH access
#
# Usage:
# sh scripts/keygen.sh <developer-name>
#
# Output:
# ~/.keys/<developer-name>.key — private key PEM (KEEP SECRET, never commit)
# ~/.keys/<developer-name>.key.pub — SSH public key (OpenSSH format, for authorized_keys)
# developers/<developer-name>.pub — raw base64 public key (for binary signing, commit this)
#
# The same key is used for both release signing and SSH access to debug LiveCD.
# Requirements: openssl 3.x, python3
set -e
NAME="$1"
if [ -z "$NAME" ]; then
echo "Usage: sh scripts/keygen.sh <developer-name>" >&2
echo "Example: sh scripts/keygen.sh mchusavitin" >&2
exit 1
fi
PRIVATE_KEY_PATH="$HOME/.keys/${NAME}.key"
PUBLIC_KEY_PATH="$(dirname "$0")/../developers/${NAME}.pub"
if [ -f "$PRIVATE_KEY_PATH" ]; then
echo "Private key already exists at $PRIVATE_KEY_PATH" >&2
echo "Delete it manually if you want to regenerate." >&2
exit 1
fi
mkdir -p "$HOME/.keys"
chmod 700 "$HOME/.keys"
# Generate Ed25519 private key (PEM format)
openssl genpkey -algorithm ed25519 -out "$PRIVATE_KEY_PATH"
chmod 600 "$PRIVATE_KEY_PATH"
SSH_PUB_PATH="${HOME}/.keys/${NAME}.key.pub"
# Extract raw 32-byte public key and base64-encode it (for release signing)
openssl pkey -in "$PRIVATE_KEY_PATH" -pubout -outform DER \
| tail -c 32 \
| base64 > "$PUBLIC_KEY_PATH"
# Export OpenSSH public key (for authorized_keys / SSH access to debug LiveCD)
# openssl can write SSH format directly in 3.x
openssl pkey -in "$PRIVATE_KEY_PATH" -pubout -outform PEM \
| python3 - "$NAME" "$SSH_PUB_PATH" <<'PYEOF'
# Convert OpenSSH-compatible PEM public key to authorized_keys line format
import sys, base64, struct, hashlib
name = sys.argv[1]
out_path = sys.argv[2]
pem_lines = sys.stdin.read().strip().splitlines()
der = base64.b64decode("".join(pem_lines[1:-1]))
# Ed25519 DER SubjectPublicKeyInfo: last 32 bytes are the raw key
raw = der[-32:]
# Build OpenSSH wire format: length-prefixed "ssh-ed25519" + length-prefixed key
def pack(b):
return struct.pack(">I", len(b)) + b
wire = pack(b"ssh-ed25519") + pack(raw)
b64 = base64.b64encode(wire).decode()
line = f"ssh-ed25519 {b64} {name}\n"
with open(out_path, "w") as f:
f.write(line)
print(f"SSH public key: {out_path}")
PYEOF
chmod 600 "$SSH_PUB_PATH"
echo "Private key: $PRIVATE_KEY_PATH (DO NOT share or commit)"
echo "Signing pub key: $PUBLIC_KEY_PATH (commit this to the keys repo)"
echo "SSH pub key: $SSH_PUB_PATH (add to LiveCD authorized_keys)"
echo ""
echo "Next steps:"
echo " 1. git add developers/${NAME}.pub && git commit -m 'add ${NAME} public key'"
echo " 2. git push"
echo " 3. Rebuild any release binaries to include the new key"
echo " 4. To SSH into debug LiveCD: sh iso/builder/build-debug.sh --authorized-keys ${SSH_PUB_PATH}"
Reference in New Issue View Git Blame Copy Permalink