-
Notifications
You must be signed in to change notification settings - Fork 12
Registration
When registering with Transmute, you will need to create the following:
- SECP256K1 Primary Keypair
- SECP256K1 Recovery Keypair
Transmute uses the primary keypair to identify and register an account with the name and email specified in the public key. We require that a SECP256K1 primary keypair be created and signed by a SECP256K1 recovery keypair when registering in our system.
The recovery keypair is necessary to allow for revocation and replacement of the existing public key associated with a user's account. This keypair will be generated with the primary keypair to prevent the case where a user's private key has been compromised and they do not have a way to revoke and reissue a new keypair.
Before proceeding, follow the MacOS Guide for setting up your local environment.
Once your environment has been configured, run the following to generate your registration keys.
$ transmute generate-keys
This will ask you for a passphrase in order to generate your keypairs. After the keys have been generated, you will be able to access them in your GPG keyring with:
$ transmute list-keys
To export a private key, you will need to first copy the fingerprint of the key you wish to copy to your clipboard. To get a key's fingerprint, run:
$ transmute list-keys
You should be returned something that looks like the following:
pub secp256k1 2018-07-11 [SC]
B03F12806C1E250946EFA84AEF854E46F0DD5A9F <=== PRIMARY KEY FINGERPRINT
uid [ unknown]
sub secp256k1 2018-07-11 [E]
pub secp256k1 2018-07-11 [SC]
9B6B06577A9603CC3B3A3AA6846CF3F17F94DCD8 <=== RECOVERY KEY FINGERPRINT
uid [ unknown]
sub secp256k1 2018-07-11 [E]
After copying the fingerprint, run:
$ transmute export-private-key
Input your key's fingerprint and passphrase and your private key will be output to the command line.
to generate a new recovery key, you will need to copy the fingerprint of your existing recovery key to your clipboard using the same instructions as exporting your keys. After copying your recovery key's fingerprint, run:
$ transmute generate-recovery-key
Input your key's fingerprint and a new passphrase, and your new recovery key will be created and added to your keyring.
Keysigning with GPG is a good reference and can be used as a how to for generating keys with GPG and signing other keys with them.
When generating new keys, you can specify a number of parameters
Here is an example of a file you can use that will allow you to batch your GPG key configuration when generating new keys. This file creates a Secp256k1 keypair, so we will refer to it as gen-secp256k1.ecdsa
Key-Type: ecdsa
Key-Curve: secp256k1
Key-Usage: sign auth
Expire-Date: 1000d
Passphrase: y33h4w, 73x45!
Please modify this as needed. For the purposes of this repository, we will be generating two secp256k1 keypairs (primary and recovery) - so, the only things that would be updated here are the last four fields listed. When you create these keypairs, please note that you should not include 'Name-Real' and 'Name-Email' in this configuration.
These commands will generate these keys for you and add them to your gpg keyring (please update the filenames accordingly):
$ gpg --batch --yes --gen-key gen-secp256k1.ecdsa
$ gpg --batch --yes --gen-key gen-secp256k1.ecdsa
After adding these keys, you can view the keys in your keyring with:
$ gpg --list-keys
Get the identifiers for each key (located under 'pub' when listing) and sign the primary key with the recovery key like so:
$ gpg -u BEEA1E6AA72EADF515CE975179C30B5C7F1662E5 --sign-key AAA4850E4577112FF75B71F7B8BC5B8057CB3424
Note, the -u
flag is to specify the local user that is going to be performing the --sign-key
operation.
These commands will ask if you really wish to do this and ask for your passphrase. After inputting your passphrase, a certificate will be created on the key being signed (primary key), effectively stating that the signing key (recovery key) trusts them.
After signing your primary key with your recovery key, you can now export the armored keys to be used when registering and recovering with the Transmute Platform.
$ gpg --export -a 570795C6E0A366137760B6FBAB45E626212326B3 > ./primary_key.asc
$ gpg --export -a AAA4850E4577112FF75B71F7B8BC5B8057CB3424 > ./recovery_key.asc
If your primary key is compromised and you need to replace it with your recovery key, you will need to first generate a new key following the same instructions as when generating primary and recovery keys when registering. In this case, you will only need to generate one new key, though.
After generating this key, make sure to locate your existing recovery key in your local gpg keyring with the command:
$ gpg --list-keys
After identifying your existing recovery key, you will need to sign it with your new recovery key (the key that was just generated), like so:
$ gpg -u A72EA5CE9751BEEA1E6A79C30B5C7F1662DF51E5 --sign-key AAA487B8BC5B805577112FF7CB350E475B71F424
You will then be able to export these keys with the following commands:
$ gpg --export -a A72EA5CE9751BEEA1E6A79C30B5C7F1662DF51E5 > ./primary_key.asc
$ gpg --export -a AAA487B8BC5B805577112FF7CB350E475B71F424 > ./recovery_key.asc
You will then upload these to Transmute whereby the previous public key will be replaced by your previous recovery key and the previous recovery key will be replaced by the new recovery key (round robin style).
- PGP
- DID