You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As discussed in #2467, our private signing key using https://github.com/orlp/ed25519 is not compatible with other libraries. This is because other libraries use seed or seed + public_key as their private key and instead oral/ed25519 hashes the seed so it doesn't have to re-hash it on every signing operation. Presently we discard the seed before the hashing operation so it is impossible to sign updates using other libraries which may be beneficial on other OS systems / toolchains / etc.
Proposal is that for newly generated keys, we preserve the seed. Potentially the new format could be seed + public_key and we would just derive the private key from the seed and public_key again. On export/import we may want to consider using a binary format instead of base64 but I'm not sure yet. Compatibility considerations may need to be made so older tools don't accidentally leak newly generated private keys.
The text was updated successfully, but these errors were encountered:
As discussed in #2467, our private signing key using https://github.com/orlp/ed25519 is not compatible with other libraries. This is because other libraries use
seedorseed + public_keyas their private key and instead oral/ed25519 hashes theseedso it doesn't have to re-hash it on every signing operation. Presently we discard theseedbefore the hashing operation so it is impossible to sign updates using other libraries which may be beneficial on other OS systems / toolchains / etc.Proposal is that for newly generated keys, we preserve the seed. Potentially the new format could be
seed + public_keyand we would just derive the private key from theseedandpublic_keyagain. On export/import we may want to consider using a binary format instead of base64 but I'm not sure yet. Compatibility considerations may need to be made so older tools don't accidentally leak newly generated private keys.The text was updated successfully, but these errors were encountered: