Generate ed25519 keys using openssl

[jeremyhu]

I'm attempting to migrate from using DSA to using ed25519 for signing our software updates (XQuartz/XQuartz#199).

I generated my ed25519 key like:

$ openssl genpkey -algorithm Ed25519 -out sparkle_ed25519_priv.pem

I extracted the public key like:

$  openssl pkey -in sparkle_ed25519_priv.pem -pubout -out parkle_ed25519_priv.pem

I placed the contents of sparkle_ed25519_priv.pem (without the header/footer) into the app's Info.plist in the SUPublicEDKey key, eg:

   <key>SUPublicEDKey</key>
   <string>MCowBQYDK2VwAyEAZ1GA4UtoHkt7UhlT7UpPomzjnP7q4I342zsvBVOa77M=</string>

I generated the signature using openssl pkeyutl:

openssl pkeyutl -sign -inkey sparkle_ed25519_priv.pem -rawin -in /path/to/XQuartz-2.8.2_beta1.dmg | base64

I then placed that signature into sparkle:edSignature in our feed, eg:

<enclosure url="https://github.com/XQuartz/XQuartz/releases/download/XQuartz-2.8.2_beta1/XQuartz-2.8.2_beta1.dmg"
 sparkle:version="2.8.20"
 sparkle:shortVersionString="XQuartz-2.8.2_beta1"
 length="122445045"
 type="application/octet-stream"
 sparkle:dsaSignature="MC4CFQCvjKV297akZPpbJYklTxcR/msbBgIVAIvLmx9x3t4brKGXRKjBNFhe1HdZ"
 sparkle:edSignature="9XV12eLuHj8WvIyjUCDDmZCrfCAW1CWT2dMFoPZ0/K4OTD3SHZjX8LjXufSuOylmEPVCPrO1Daji9KTdvviqBQ=="
 sparkle:installationType="package" />

Existing installs using DSA are still updating fine, but my test build which has the SUPublicEDKey entry and no SUPublicDSAKeyFile entry is failing:

2022-06-18 07:48:08.390864-0700 0x709026   Error       0x4acbbf             64849  0    X11.bin: (Sparkle) [org.sparkle-project.Sparkle:Sparkle] EdDSA signature does not match. Data of the update file being checked is different than data that has been signed, or the public key and the private key are not from the same set.

I downloaded https://github.com/XQuartz/XQuartz/releases/download/XQuartz-2.8.2_beta1/XQuartz-2.8.2_beta1.dmg myself and verified it fine:

$ echo "9XV12eLuHj8WvIyjUCDDmZCrfCAW1CWT2dMFoPZ0/K4OTD3SHZjX8LjXufSuOylmEPVCPrO1Daji9KTdvviqBQ==" | base64 -d > signature.dat
$ openssl pkeyutl -verify -pubin -inkey sparkle_ed25519_pub.pem -rawin -in /Users/jeremy/Downloads/XQuartz-2.8.2_beta1.dmg -sigfile signature.dat       
Signature Verified Successfully

So why is Sparkle failing to verify here? What am I missing?

The EdDSA Migration page doesn't provide much support for generating the signature the way Sparkle wants it, and the Sparkle Documentation tells the user how to create the signing keys (using generate_keys, which places them in the keychain, I just prefer to manage the key as a .pem file myself) but has no information on actually how to sign. There is reference to generate_appcast, but that doesn't actually seem to work (even with the key generated with generate_keys) and is a bit heavy for what I want to do.

[zorgiepoo]

If you use generate_keys you can later export the key to a file (with -x; see generate_keys --help) and then remove the item from the keychain if you don't want to use it. generate_keys also tells you how to include the key in the Info.plist. sign_update also has an option (-f) to take the file as an argument (at least in 2.x version of the tools, which you can still use even if you use 1.x framework). It also has a --verify option these days.

I never tried with openssl. The library we use may expect it to be in a certain format or something.

[jeremyhu]

Yeah, I'm using generate_keys and sign_update in my build pipeline now, but I'd like to be able to use openssl(1) directly if possible. This is more of a "what am I missing?" question than a "how can I get this to work?" question.

[zorgiepoo]

It might be complicated and related to orlp/ed25519#10

[jeremyhu]

Interesting, thanks!

[zorgiepoo]

Posting this for future reference: the issue I linked above is only for using the private keys generated by orlp/ed25519 into other tools/libraries (which may be dealt with in #2470). Absent of that, using openssl directly should work for newly generated keys, but it's annoying because you have to make sure you ignore all the extra headers/footers stuff including the OID in the data. It may be easier to work with DER format if you're using openssl:

# Generate private key
openssl genpkey -algorithm Ed25519 -outform DER -out sparkle_ed25519_priv.der
# Extract public key
openssl pkey -inform der -in sparkle_ed25519_priv.der -pubout -outform der -out sparkle_ed25519_pub.der
# This will get you your 32-byte public key ignoring the OID header stuff at the beginning, which can be put as the `SUPublicEDKey`
tail -c 32 sparkle_ed25519_pub.der | base64
# Generate a signature for a download file, suitable for the sparkle:edSignature
openssl pkeyutl -keyform der -sign -inkey sparkle_ed25519_priv.der -rawin -in my-file.dmg | base64