This is a skeleton for a CLI tool that can both sign and verify signatures of files.
To build the project, run the following command:
go build -o verifier
Look at the automatically generated help text with
./verifier --help
./verifier sign --help
./verifier verify --help
- Create a private key with the following command:
openssl genpkey -algorithm RSA -out private_key.pem -aes256
- Extract the public key from the private key with the following command:
openssl rsa -pubout -in private_key.pem -out public_key.pem
- Sign a file with the private key with the following command:
openssl dgst -sha256 -sign private_key.pem -out signature.sha256 secret.txt
Note
Double-check your understanding: What is SHA256? What is it's purpose in generating the signature?
- Verify the signature with the public key with the following command:
openssl dgst -sha256 -verify public_key.pem -signature signature.sha256 secret.txt
- Modify the
secret.txt
file and verify the signature again. What happens?
Tip
The following things aren't supposed to be particularly difficult. If you're having a rough time, come talk to me because you might be over-thinking something. Also, definitely leverage libraries to take care of this for you, you should be more glueing libraries together than re-inventing any wheel. ๐
- Clone this repo and create a new branch off of
main
to work on. - Implement the missing parts of the
verify
command.- Testing - You can use the signature file + public/private key files generated in the previous step to test your implementation.
- Implement the
sign
command. Thesign
command should sign a file with a private key and save the signature to a file. - Add a new command
generate
that generates a new private/public key pair and saves them to files. You'll need to modify the CLI/cobra commands to add this new command.
Important
Let me know if anything is unclear or if you need help with anything. I made this in an hour or two so there might be some mistakes or unclear instructions ๐ฌ. Feel free to use any resources (CLI tools, libraries, google, ChatGPT, whatever). The main goal is to familiarize yourself with Go, signing/crypto concepts, and to make sure you understand what you're doing!