I would like to give a selected number of developers ability to run code on a system, and verify it using OpenSSH's -Y verify feature.
# Generate the certificates, and sign the dev cert with the root CAssh-keygen -t ed25519 -C "Example Root CA" -N "" -f ./rootcassh-keygen -t ed25519 -C "Some Developer Inc." -N "" -f ./developerssh-keygen -s ./rootca -I somedeveloper@example.com ./developer.pub # <- Creates ./developer-cert.pub# Sign "example.bin"echo "hello" > ./example.binssh-keygen -Y sign -f ./developer -n "codesign@example.com" ./example.binNow, Given "example.bin", "example.bin.sig", "rootca.pub", and "developer-cert.pub", how would you be able to verify it?
The ssh-keygen -Y verify command takes no parameter for the "developer-cert.pub" file, which is critical for completing the trust chain between the CA and the signature.
I could use ssh-keygen -L, but it seems insecure (Who actually checks the root CA signature in the certificate?).
It seems my only option is to use libssh currently, is there another way?
EDIT: Thanks to the answer by @user1686 I have completed the example:
# Generate the certificatesssh-keygen -t ed25519 -C "Example Root CA" -N "" -f ./rootcassh-keygen -t ed25519 -C "Some Developer Inc." -N "" -f ./developer# Sign the dev cert with the root CA, granting a "codesign+foo" entitlementssh-keygen -s ./rootca -I somedeveloper@example.com -n codesign+foo@example.com ./developer.pub # <- Creates ./developer-cert.pub# Sign "example.bin" using the "codesign@example.com" namespace (doesn't grant any entitlements, just used for security)echo "hello" > example.binssh-keygen -Y sign -f ./developer-cert.pub -n "codesign@example.com" ./example.bin# Verifying the "codesign+foo@example.com" entitlementecho "codesign+foo@example.com cert-authority $(cat rootca.pub)" > allowed_signers.confssh-keygen -Y verify -I "codesign+foo@example.com" -n "codesign@example.com" -s example.bin.sig -f allowed_signers.conf < example.bin