Skip to main content

SSH Sig

CI

Provides SSH signature parser and verifier for SSH file signatures.

SSH signatures allow signing arbitrary files and can be used for signing git commits and tags.

All features are implemented using pure TypeScript and built-in SubtleCrypto.

Since Ed25519 public keys are not yet widely deployed this package allows supplying custom SubtleCrypto implementation, such as webcrypto-ed25519.

Creating SSH signatures

SSH signatures can be created using OpenSSH’s ssh-keygen:

ssh-keygen -Y sign -f ~/.ssh/id_ed25519 -n file file_to_sign

This will create a detached signature in the file_to_sign.sig file.

Supported algorithms

The following algorithms are supported at this time:

  • RSA
  • ed25519
  • NIST P-256

If you would like to see a different signing algorithm supported please file an issue attaching both the SSH signature and the file that was signed.

Examples

The following example verifies an ed25519 signature against provided data:

import { assertEquals } from "https://deno.land/std@0.217.0/assert/mod.ts";
import { verify } from "./index.ts";

const signature = `-----BEGIN SSH SIGNATURE-----
U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgscJcEliU8+Su3ZZjI/dJmgzHje
UMEHlAAuMTvrYRCVwAAAAEZmlsZQAAAAAAAAAGc2hhNTEyAAAAUwAAAAtzc2gtZWQyNTUx
OQAAAECQkGDrATymoR1tunbphepkXiLGAMcF+Eca1EL3KpidzNYSTJ/smLYVw2elXq3K/l
dnvxJddvs2Z/x5En43hQIB
-----END SSH SIGNATURE-----`;

const valid = await verify(
  signature, // detached signature
  "this is signed data\n", // signed data
  {
    subtle: crypto.subtle, // bring your own SubtleCrypto
  },
);

assertEquals(valid, true, "signature is valid");

Signatures can also be parsed before verification. Since signatures contain public keys it’s also possible to export the public key in the SSH format:

import { assertEquals } from "https://deno.land/std@0.217.0/assert/mod.ts";
import { verify } from "./index.ts";
import { parse } from "./sig_parser.ts";

const signature = parse(`-----BEGIN SSH SIGNATURE-----
U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgscJcEliU8+Su3ZZjI/dJmgzHje
UMEHlAAuMTvrYRCVwAAAAEZmlsZQAAAAAAAAAGc2hhNTEyAAAAUwAAAAtzc2gtZWQyNTUx
OQAAAECQkGDrATymoR1tunbphepkXiLGAMcF+Eca1EL3KpidzNYSTJ/smLYVw2elXq3K/l
dnvxJddvs2Z/x5En43hQIB
-----END SSH SIGNATURE-----`);

const valid = await verify(
  signature, // detached signature
  "this is signed data\n", // signed data
  // using "crypto.subtle" by default
);

assertEquals(valid, true, "signature is valid");
assertEquals(
  `${signature.publickey}`,
  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILHCXBJYlPPkrt2WYyP3SZoMx43lDBB5QALjE762EQlc",
  "signing key",
);

License

This project is licensed under the Apache License, Version 2.0.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this crate by you, as defined in the Apache-2.0 license, shall be licensed as above, without any additional terms or conditions.