Skip to content

Commit

Permalink
sign: switch to P-256 (#662)
Browse files Browse the repository at this point in the history 
This is faster than P-384, is well-supported, and is well within
security margins.

Signed-off-by: William Woodruff <william@trailofbits.com>
  • Loading branch information
@woodruffw
woodruffw committed Jun 7, 2023
1 parent 001dab4 commit 10b9b1b
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 1 deletion.
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,9 @@ All versions prior to 0.9.0 are untracked.
reducing the number of cryptographic operations and network roundtrips
required when signing more than one input
([#645](https://github.com/sigstore/sigstore-python/pull/645))

* `sigstore sign` now uses an ephemeral P-256 keypair, rather than P-384
([#662](https://github.com/sigstore/sigstore-python/pull/662))

### Fixed

Expand Down
2 changes: 1 addition & 1 deletion sigstore/sign.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ def _private_key(self) -> ec.EllipticCurvePrivateKey:
"""Get or generate a signing key."""
if self.__cached_private_key is None:
logger.debug("no cached key; generating ephemeral key")
return ec.generate_private_key(ec.SECP384R1())
return ec.generate_private_key(ec.SECP256R1())
return self.__cached_private_key

def _signing_cert(
Expand Down

0 comments on commit 10b9b1b

Please sign in to comment.