Merge pull request #834 from jettero/4.0-sign-script

4.0 sign script

Author: jettero

contrib/sign-profiles.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+#
+# This is an example of a way to quickly sign a repo without accidentally
+# signing all the wrong things.  If everything goes well, it should
+# (re)generate a MANIFEST and SIGNATURE file.
+#
+# USAGE: bash contrib/sign-profiles.sh repo private-key
+#
+# e.g., bash contrib/sign-profiles.sh ~/code/hubblestack_data.git_repo ~/secerts/hubble/private.key
+#
+
+PROFILE="$1"; shift
+PRIVATE_KEY="${1:-/etc/certs/private.key}"; shift
+OK=0
+
+HUBBLE="${HUBBLE:-hubble}"
+
+if [ -n "$PROFILE" -a -d "$PROFILE/hubblestack_pulsar" -a -d "$PROFILE/hubblestack_nova_profiles" ]
+then cd "$PROFILE" || exit 1; OK=1
+else read -ep "$PROFILE=\"$PROFILE\" doesn't look like profile repo, sign anyway? " YN
+    if [[ "$YN" =~ [Yy] ]]
+    then cd "$PROFILE" || exit 1; OK=1
+    fi
+fi
+
+if [ "X$OK" = X1 ]
+then readarray -t FILEZ < <( find ./ -name .git -prune -o \( -type f -print \) \
+       | grep -vE '^(MANIFEST|SIGNATURE)$' )
+    ( set -x -e;
+      cd "$PROFILE"
+      "$HUBBLE" -vvv signing.msign "${FILEZ[@]}" private_key="$PRIVATE_KEY"
+    )
+else "usage: $(basename "$0") profile-dir"
+fi

hubblestack/utils/signing.py

@@ -64,8 +64,8 @@
 MANIFEST_RE = re.compile(r'^\s*(?P<digest>[0-9a-fA-F]+)\s+(?P<fname>.+)$')
 log = logging.getLogger(__name__)
 
-# "verification_log_timestamps" is a global dict that contains str path 
-# and time() kv pairs. When the time() value exceeds the dampening_limit (3600 sec), 
+# "verification_log_timestamps" is a global dict that contains str path
+# and time() kv pairs. When the time() value exceeds the dampening_limit (3600 sec),
 # we reset time and set log level accordingly.
 verif_log_timestamps = {}
 # How often in seconds 3600 = 1 hour to set log level to log.error/critical
@@ -332,7 +332,7 @@ def __init__(self, public_crt=None, ca_crt=None):
             except ossl.X509StoreContextError as exception_object:
                 code, depth, message = exception_object.args[0]
                 if code in (2,3,20,27,33):
-                    # from openssl/x509_vfy.h or 
+                    # from openssl/x509_vfy.h or
                     # https://www.openssl.org/docs/man1.1.0/man3/X509_STORE_CTX_set_current_cert.html
                     # X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT         2
                     # X509_V_ERR_UNABLE_TO_GET_CRL                 3
@@ -444,7 +444,12 @@ def sign_target(fname, ofname, private_key='private.key', **kwargs): # pylint: d
     """
     # NOTE: This is intended to crash if there's some number of keys other than
     # exactly 1 read from the private_key file:
-    first_key, = read_certs(private_key)
+    the_keys = list(read_certs(private_key))
+    if not the_keys:
+        log.error('unable to sign %s with %s (no such file or error reading certs)',
+            os.path.abspath(fname), os.path.abspath(private_key))
+        return
+    first_key = the_keys[0]
     hasher, chosen_hash = hash_target(fname, obj_mode=True)
     args = { 'data': hasher.finalize() }
     if isinstance(first_key, rsa.RSAPrivateKey):
@@ -458,7 +463,7 @@ def sign_target(fname, ofname, private_key='private.key', **kwargs): # pylint: d
         fh.write('\n')
 
 def verify_signature(fname, sfname, public_crt='public.crt', ca_crt='ca-root.crt', **kwargs): # pylint: disable=unused-argument
-    ### make 
+    ### make
     """
         Given the fname, sfname public_crt and ca_crt:
 
@@ -601,7 +606,7 @@ def verify_files(targets, mfname='MANIFEST', sfname='SIGNATURE', public_crt='pub
             # or it's a digest from the MANIFEST. If UNKNOWN, we have nothing to compare
             # so we return UNKNOWN
             status = STATUS.UNKNOWN
-            # check to see if the the status of a failed target has been sent is the last 
+            # check to see if the the status of a failed target has been sent is the last
             # x seconds, we reset time and set log level accordingly. the same for FAIL
         elif digest == new_hash:
             # path gets same status as MANIFEST

tests/unittests/resources/pretend-certs/25519-1/bundle.pem

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIB9jCCAaigAwIBAgIURP1Q7LP4Qo+9UrjZaC7MZ3+3Kk4wBQYDK2VwMGcxCzAJ
+BgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UE
+CgwDT3JnMQ4wDAYDVQQLDAVHcm91cDEbMBkGA1UEAwwSY2FyLmh1YmJsZXN0YWNr
+LmlvMB4XDTIwMDMyNjEyMTI1MVoXDTI5MDkyODIxMTkzMVowZzELMAkGA1UEBhMC
+VVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANPcmcx
+DjAMBgNVBAsMBUdyb3VwMRswGQYDVQQDDBJpYTEuaHViYmxlc3RhY2suaW8wKjAF
+BgMrZXADIQABTL/rpAHbd9QEtKBMMvcY0spy4F8iZUqQjZSO21kPQKNmMGQwHwYD
+VR0jBBgwFoAUwh+cpSrbXdPickBjcmYbPZKzYQEwHQYDVR0OBBYEFAWou/d/qAoA
+35JdNjBy0vs/XLpDMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgKE
+MAUGAytlcANBAMghSFrbu7v8vC3LCueAsNA6FKHG/iabBonx2F2Nxe4KPRmPeEuB
+d3SK3J6wlDB+b6LdR/6x0tHnmHhbzoMA2A0=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB9jCCAaigAwIBAgIUEVkmZe7+qF/MWSy0fjY9fhz1F7gwBQYDK2VwMGcxCzAJ
+BgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UE
+CgwDT3JnMQ4wDAYDVQQLDAVHcm91cDEbMBkGA1UEAwwSY2FyLmh1YmJsZXN0YWNr
+LmlvMB4XDTIwMDMyNjEyMTI1MVoXDTI5MDkyODIxMTkzMVowZzELMAkGA1UEBhMC
+VVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANPcmcx
+DjAMBgNVBAsMBUdyb3VwMRswGQYDVQQDDBJpYTIuaHViYmxlc3RhY2suaW8wKjAF
+BgMrZXADIQBar2Y3JhOwLHRnx6JEF8BurvOstJxruxdT0V19/sCJlqNmMGQwHwYD
+VR0jBBgwFoAUwh+cpSrbXdPickBjcmYbPZKzYQEwHQYDVR0OBBYEFO0EfJdSS+Ps
+gbKLHoTevNaXRDvqMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgKE
+MAUGAytlcANBANC+xnNTb/FzmmF72sU5o8tXWxRF7l5N1AHWiedape/R+9WpOw3s
+sCb3Gb6zAJctLBuc273b9CpnMie21rdedAk=
+-----END CERTIFICATE-----

tests/unittests/resources/pretend-certs/25519-1/ca-root.crt

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9jCCAaigAwIBAgIUYQnnc1vQ8bOnFIp9YyUIYmfy+zEwBQYDK2VwMGcxCzAJ
+BgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UE
+CgwDT3JnMQ4wDAYDVQQLDAVHcm91cDEbMBkGA1UEAwwSY2FyLmh1YmJsZXN0YWNr
+LmlvMB4XDTIwMDMyNjEyMTI1MVoXDTI5MDkyODIxMTkzMVowZzELMAkGA1UEBhMC
+VVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANPcmcx
+DjAMBgNVBAsMBUdyb3VwMRswGQYDVQQDDBJjYXIuaHViYmxlc3RhY2suaW8wKjAF
+BgMrZXADIQBgpHW4S2JwT4NFJfQiXpskpNL21NTEtAevNgnOSix9WKNmMGQwHwYD
+VR0jBBgwFoAUwh+cpSrbXdPickBjcmYbPZKzYQEwHQYDVR0OBBYEFMIfnKUq213T
+4nJAY3JmGz2Ss2EBMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgKE
+MAUGAytlcANBAPNql/7hj5p4q/EU5jwDrDCHTw3cNCs0e3XlLbUCn4l0DwA91XFG
+Gl/Zd34JC6Z1cuEIts/OgdLC+8on1HxiIQY=
+-----END CERTIFICATE-----

tests/unittests/resources/pretend-certs/25519-1/ca-root.key

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEICu+jXD6S4pTFdvurQE7kwdyvizCly6iFEyXab2US/CV
+-----END PRIVATE KEY-----

tests/unittests/resources/pretend-certs/25519-1/ca-root.unsigned

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAYKR1uEticE+DRSX0Il6bJKTS9tTUxLQHrzYJzkosfVg=
+-----END PUBLIC KEY-----

tests/unittests/resources/pretend-certs/25519-1/intermediate-1.crt

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9jCCAaigAwIBAgIURP1Q7LP4Qo+9UrjZaC7MZ3+3Kk4wBQYDK2VwMGcxCzAJ
+BgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UE
+CgwDT3JnMQ4wDAYDVQQLDAVHcm91cDEbMBkGA1UEAwwSY2FyLmh1YmJsZXN0YWNr
+LmlvMB4XDTIwMDMyNjEyMTI1MVoXDTI5MDkyODIxMTkzMVowZzELMAkGA1UEBhMC
+VVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANPcmcx
+DjAMBgNVBAsMBUdyb3VwMRswGQYDVQQDDBJpYTEuaHViYmxlc3RhY2suaW8wKjAF
+BgMrZXADIQABTL/rpAHbd9QEtKBMMvcY0spy4F8iZUqQjZSO21kPQKNmMGQwHwYD
+VR0jBBgwFoAUwh+cpSrbXdPickBjcmYbPZKzYQEwHQYDVR0OBBYEFAWou/d/qAoA
+35JdNjBy0vs/XLpDMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgKE
+MAUGAytlcANBAMghSFrbu7v8vC3LCueAsNA6FKHG/iabBonx2F2Nxe4KPRmPeEuB
+d3SK3J6wlDB+b6LdR/6x0tHnmHhbzoMA2A0=
+-----END CERTIFICATE-----

tests/unittests/resources/pretend-certs/25519-1/intermediate-1.key

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIMRBmpqQq+cvn49ogZ37LKh7DdRSEi/XGNnUUlCbShu3
+-----END PRIVATE KEY-----

tests/unittests/resources/pretend-certs/25519-1/intermediate-1.unsigned

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAAUy/66QB23fUBLSgTDL3GNLKcuBfImVKkI2UjttZD0A=
+-----END PUBLIC KEY-----

tests/unittests/resources/pretend-certs/25519-1/intermediate-2.crt

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9jCCAaigAwIBAgIUEVkmZe7+qF/MWSy0fjY9fhz1F7gwBQYDK2VwMGcxCzAJ
+BgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UE
+CgwDT3JnMQ4wDAYDVQQLDAVHcm91cDEbMBkGA1UEAwwSY2FyLmh1YmJsZXN0YWNr
+LmlvMB4XDTIwMDMyNjEyMTI1MVoXDTI5MDkyODIxMTkzMVowZzELMAkGA1UEBhMC
+VVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANPcmcx
+DjAMBgNVBAsMBUdyb3VwMRswGQYDVQQDDBJpYTIuaHViYmxlc3RhY2suaW8wKjAF
+BgMrZXADIQBar2Y3JhOwLHRnx6JEF8BurvOstJxruxdT0V19/sCJlqNmMGQwHwYD
+VR0jBBgwFoAUwh+cpSrbXdPickBjcmYbPZKzYQEwHQYDVR0OBBYEFO0EfJdSS+Ps
+gbKLHoTevNaXRDvqMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgKE
+MAUGAytlcANBANC+xnNTb/FzmmF72sU5o8tXWxRF7l5N1AHWiedape/R+9WpOw3s
+sCb3Gb6zAJctLBuc273b9CpnMie21rdedAk=
+-----END CERTIFICATE-----

tests/unittests/resources/pretend-certs/25519-1/intermediate-2.key

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIOs6OveTE8Fdrvh4ocwCi+TGNfKl2VJimpkeVQOVnDgv
+-----END PRIVATE KEY-----

tests/unittests/resources/pretend-certs/25519-1/intermediate-2.unsigned

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAWq9mNyYTsCx0Z8eiRBfAbq7zrLSca7sXU9Fdff7AiZY=
+-----END PUBLIC KEY-----

tests/unittests/resources/pretend-certs/25519-1/private-1.key

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIAji7b3QFAh6pUyeEIYyM6Rsx0Hr05sW/3r3sThQDOtu
+-----END PRIVATE KEY-----

tests/unittests/resources/pretend-certs/25519-1/private-2.key

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIEme51xRg+REgjHggZK3ZAtTgY79h/lVaWJZv5mnWKI5
+-----END PRIVATE KEY-----

tests/unittests/resources/pretend-certs/25519-1/public-1.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBvDCCAW6gAwIBAgIUeeEV84IFklBe2P9b9MW3H58jquIwBQYDK2VwMGcxCzAJ
+BgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UE
+CgwDT3JnMQ4wDAYDVQQLDAVHcm91cDEbMBkGA1UEAwwSaWExLmh1YmJsZXN0YWNr
+LmlvMB4XDTIwMDMyNjEyMTI1MVoXDTI5MDkyODIxMTkzMVowYjELMAkGA1UEBhMC
+VVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANPcmcx
+DjAMBgNVBAsMBUdyb3VwMRYwFAYDVQQDDA1DZXJ0eSBDZXJ0ICMxMCowBQYDK2Vw
+AyEAlKtBaJbjp/BRnwUQOI5mdQjs0p67DSOvLTTc6ME0SEejMTAvMB0GA1UdDgQW
+BBQuB1K9WgtwLgp4yf0WkkaJHxBFozAOBgNVHQ8BAf8EBAMCBNAwBQYDK2VwA0EA
+81XVAB1H+YR97WKDTJP9F9G6adNKXIUPrtP3bbicvcdqQzUmt5IeL9lSmEGNS71+
+ECR5em+YaNuo5lV5a37VAw==
+-----END CERTIFICATE-----

tests/unittests/resources/pretend-certs/25519-1/public-1.unsigned

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAlKtBaJbjp/BRnwUQOI5mdQjs0p67DSOvLTTc6ME0SEc=
+-----END PUBLIC KEY-----

tests/unittests/resources/pretend-certs/25519-1/public-2.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBvDCCAW6gAwIBAgIUSAEU4IAxsq5ztBYozISrqdZh/ScwBQYDK2VwMGcxCzAJ
+BgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UE
+CgwDT3JnMQ4wDAYDVQQLDAVHcm91cDEbMBkGA1UEAwwSaWEyLmh1YmJsZXN0YWNr
+LmlvMB4XDTIwMDMyNjEyMTI1MVoXDTI5MDkyODIxMTkzMVowYjELMAkGA1UEBhMC
+VVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANPcmcx
+DjAMBgNVBAsMBUdyb3VwMRYwFAYDVQQDDA1DZXJ0eSBDZXJ0ICMyMCowBQYDK2Vw
+AyEAZS9aEe2LSTxoDHYCPEOUHrKfI219xwPLiMnjCOriORmjMTAvMB0GA1UdDgQW
+BBR3npasA5ENT1Lbajz8FgFvyVVzGTAOBgNVHQ8BAf8EBAMCBNAwBQYDK2VwA0EA
+f2dQvR76RkpcqkiPWEb1iA90LRhXcl1gQA7I0Ge+vl3N5BV/NEpNTXP2NAbav0gU
+H4I9ut52JMEZearzxsOYAA==
+-----END CERTIFICATE-----

tests/unittests/resources/pretend-certs/25519-1/public-2.unsigned

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAZS9aEe2LSTxoDHYCPEOUHrKfI219xwPLiMnjCOriORk=
+-----END PUBLIC KEY-----

tests/unittests/resources/pretend-certs/25519-2/bundle.pem

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIB9jCCAaigAwIBAgIUEz1V2rlGuv8mtI9+Q6zDvkcj4YUwBQYDK2VwMGcxCzAJ
+BgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UE
+CgwDT3JnMQ4wDAYDVQQLDAVHcm91cDEbMBkGA1UEAwwSY2FyLmh1YmJsZXN0YWNr
+LmlvMB4XDTIwMDMyNjEyMTYzOVoXDTI5MDkyODIxMjMxOVowZzELMAkGA1UEBhMC
+VVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANPcmcx
+DjAMBgNVBAsMBUdyb3VwMRswGQYDVQQDDBJpYTEuaHViYmxlc3RhY2suaW8wKjAF
+BgMrZXADIQDh3XVqPyhKRS2GHm/Cyjwjdm++Gb3rMH7YAVyILsxh+qNmMGQwHwYD
+VR0jBBgwFoAU70BlpEMzzHX1zQkrE5/7W7dbZDEwHQYDVR0OBBYEFArfAfKz3mNH
+KiijWTpVinclIHmDMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgKE
+MAUGAytlcANBAJfe/tlbTv0u9ASdAgruMTHERE+27KH8xHrnL27WgNn72efaIr8x
+SOOv8gUQcd7YhhKTMrLd8wK/TtMPAzii/QQ=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB9jCCAaigAwIBAgIUEfbZpUm0hSle3fVK9by4IVFvFPgwBQYDK2VwMGcxCzAJ
+BgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UE
+CgwDT3JnMQ4wDAYDVQQLDAVHcm91cDEbMBkGA1UEAwwSY2FyLmh1YmJsZXN0YWNr
+LmlvMB4XDTIwMDMyNjEyMTYzOVoXDTI5MDkyODIxMjMxOVowZzELMAkGA1UEBhMC
+VVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANPcmcx
+DjAMBgNVBAsMBUdyb3VwMRswGQYDVQQDDBJpYTIuaHViYmxlc3RhY2suaW8wKjAF
+BgMrZXADIQC1E4Wy4XhAK2GDgSnyc631gFfscCIXbpCXTs1OGH0vPqNmMGQwHwYD
+VR0jBBgwFoAU70BlpEMzzHX1zQkrE5/7W7dbZDEwHQYDVR0OBBYEFG0Sdd1M/mVs
+qOmIoXgjxCGZN1b7MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgKE
+MAUGAytlcANBAP9aH8KLQUOQx2xNvMAuaMTS4YmmZ5Xy/7USyHZz5JkM+X9IO5jr
+WUposEepJUTs1YibR6hOcWCNGEFfftOxvQw=
+-----END CERTIFICATE-----

tests/unittests/resources/pretend-certs/25519-2/ca-root.crt

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9jCCAaigAwIBAgIUIch7nU0JT4IHdVBQ2Tfs7xJ2MxEwBQYDK2VwMGcxCzAJ
+BgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UE
+CgwDT3JnMQ4wDAYDVQQLDAVHcm91cDEbMBkGA1UEAwwSY2FyLmh1YmJsZXN0YWNr
+LmlvMB4XDTIwMDMyNjEyMTYzOVoXDTI5MDkyODIxMjMxOVowZzELMAkGA1UEBhMC
+VVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANPcmcx
+DjAMBgNVBAsMBUdyb3VwMRswGQYDVQQDDBJjYXIuaHViYmxlc3RhY2suaW8wKjAF
+BgMrZXADIQCvc420Dkp+pRfCnrrcpdTn3q+BZvRHbeJ0P11n+emIDqNmMGQwHwYD
+VR0jBBgwFoAU70BlpEMzzHX1zQkrE5/7W7dbZDEwHQYDVR0OBBYEFO9AZaRDM8x1
+9c0JKxOf+1u3W2QxMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgKE
+MAUGAytlcANBAFxkSVGJ5rnkYMXeR4IHJZIWvxJwQ8Grnv9aFJnaSf7JHzLE+U1o
+mE9zoI6wB1jv2Kj/EJ7nRrlYUctHFZJKKQA=
+-----END CERTIFICATE-----

tests/unittests/resources/pretend-certs/25519-2/ca-root.key

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIMM+rVDrYR9R2bJ7mhUg5g/Tba262FkTiLIzsYkcMPsO
+-----END PRIVATE KEY-----

tests/unittests/resources/pretend-certs/25519-2/ca-root.unsigned

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAr3ONtA5KfqUXwp663KXU596vgWb0R23idD9dZ/npiA4=
+-----END PUBLIC KEY-----

tests/unittests/resources/pretend-certs/25519-2/intermediate-1.crt

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9jCCAaigAwIBAgIUEz1V2rlGuv8mtI9+Q6zDvkcj4YUwBQYDK2VwMGcxCzAJ
+BgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UE
+CgwDT3JnMQ4wDAYDVQQLDAVHcm91cDEbMBkGA1UEAwwSY2FyLmh1YmJsZXN0YWNr
+LmlvMB4XDTIwMDMyNjEyMTYzOVoXDTI5MDkyODIxMjMxOVowZzELMAkGA1UEBhMC
+VVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANPcmcx
+DjAMBgNVBAsMBUdyb3VwMRswGQYDVQQDDBJpYTEuaHViYmxlc3RhY2suaW8wKjAF
+BgMrZXADIQDh3XVqPyhKRS2GHm/Cyjwjdm++Gb3rMH7YAVyILsxh+qNmMGQwHwYD
+VR0jBBgwFoAU70BlpEMzzHX1zQkrE5/7W7dbZDEwHQYDVR0OBBYEFArfAfKz3mNH
+KiijWTpVinclIHmDMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgKE
+MAUGAytlcANBAJfe/tlbTv0u9ASdAgruMTHERE+27KH8xHrnL27WgNn72efaIr8x
+SOOv8gUQcd7YhhKTMrLd8wK/TtMPAzii/QQ=
+-----END CERTIFICATE-----

tests/unittests/resources/pretend-certs/25519-2/intermediate-1.key

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEINXj6ru0z9jMc1HUN8WDUJ7cYjZgZzGvirfUrvUFr2nI
+-----END PRIVATE KEY-----

tests/unittests/resources/pretend-certs/25519-2/intermediate-1.unsigned

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEA4d11aj8oSkUthh5vwso8I3Zvvhm96zB+2AFciC7MYfo=
+-----END PUBLIC KEY-----

tests/unittests/resources/pretend-certs/25519-2/intermediate-2.crt

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9jCCAaigAwIBAgIUEfbZpUm0hSle3fVK9by4IVFvFPgwBQYDK2VwMGcxCzAJ
+BgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UE
+CgwDT3JnMQ4wDAYDVQQLDAVHcm91cDEbMBkGA1UEAwwSY2FyLmh1YmJsZXN0YWNr
+LmlvMB4XDTIwMDMyNjEyMTYzOVoXDTI5MDkyODIxMjMxOVowZzELMAkGA1UEBhMC
+VVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANPcmcx
+DjAMBgNVBAsMBUdyb3VwMRswGQYDVQQDDBJpYTIuaHViYmxlc3RhY2suaW8wKjAF
+BgMrZXADIQC1E4Wy4XhAK2GDgSnyc631gFfscCIXbpCXTs1OGH0vPqNmMGQwHwYD
+VR0jBBgwFoAU70BlpEMzzHX1zQkrE5/7W7dbZDEwHQYDVR0OBBYEFG0Sdd1M/mVs
+qOmIoXgjxCGZN1b7MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgKE
+MAUGAytlcANBAP9aH8KLQUOQx2xNvMAuaMTS4YmmZ5Xy/7USyHZz5JkM+X9IO5jr
+WUposEepJUTs1YibR6hOcWCNGEFfftOxvQw=
+-----END CERTIFICATE-----

tests/unittests/resources/pretend-certs/25519-2/intermediate-2.key

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIKXRUbHRQUVF48B2wlCOHjelThkcPruy5epXA2pNlq0t
+-----END PRIVATE KEY-----

tests/unittests/resources/pretend-certs/25519-2/intermediate-2.unsigned

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAtROFsuF4QCthg4Ep8nOt9YBX7HAiF26Ql07NThh9Lz4=
+-----END PUBLIC KEY-----

tests/unittests/resources/pretend-certs/25519-2/private-1.key

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIPIOwibDqHRHS1Kx4BcXFlTRpJ+/8HyZMo0Hx8trjVBY
+-----END PRIVATE KEY-----

tests/unittests/resources/pretend-certs/25519-2/private-2.key

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIE99TwlMJDDNn572tYBUAv4/nGXwSPtTGU093S5osPMX
+-----END PRIVATE KEY-----

tests/unittests/resources/pretend-certs/25519-2/public-1.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBvDCCAW6gAwIBAgIUCDTqBhZsLUWtHQjbLyILlAdvfUEwBQYDK2VwMGcxCzAJ
+BgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UE
+CgwDT3JnMQ4wDAYDVQQLDAVHcm91cDEbMBkGA1UEAwwSaWExLmh1YmJsZXN0YWNr
+LmlvMB4XDTIwMDMyNjEyMTYzOVoXDTI5MDkyODIxMjMxOVowYjELMAkGA1UEBhMC
+VVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANPcmcx
+DjAMBgNVBAsMBUdyb3VwMRYwFAYDVQQDDA1DZXJ0eSBDZXJ0ICMxMCowBQYDK2Vw
+AyEAg1cHTOOL8/+t5H7euuJf07YIarYaA9v3BjA0+IOzIHKjMTAvMB0GA1UdDgQW
+BBTQUAqDvt19JA6tNFDLEDzO/wAn6TAOBgNVHQ8BAf8EBAMCBNAwBQYDK2VwA0EA
+Zx5xoCyRwISf41f8XRTyg5Tj1aoul4oIsuMMPWLNDlT+Iwjrs+3ul3iwDck3S13U
+nUMbhbFSvqTAhZrklJtxBg==
+-----END CERTIFICATE-----

tests/unittests/resources/pretend-certs/25519-2/public-1.unsigned

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAg1cHTOOL8/+t5H7euuJf07YIarYaA9v3BjA0+IOzIHI=
+-----END PUBLIC KEY-----

tests/unittests/resources/pretend-certs/25519-2/public-2.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBvDCCAW6gAwIBAgIUBigc9ZKWD3q5vb1BvarBaFQ3LAwwBQYDK2VwMGcxCzAJ
+BgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UE
+CgwDT3JnMQ4wDAYDVQQLDAVHcm91cDEbMBkGA1UEAwwSaWEyLmh1YmJsZXN0YWNr
+LmlvMB4XDTIwMDMyNjEyMTYzOVoXDTI5MDkyODIxMjMxOVowYjELMAkGA1UEBhMC
+VVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANPcmcx
+DjAMBgNVBAsMBUdyb3VwMRYwFAYDVQQDDA1DZXJ0eSBDZXJ0ICMyMCowBQYDK2Vw
+AyEAY7TB/7GfoCtmiOoadzgA7HyBZqpXUiTqSY8vg2M7MESjMTAvMB0GA1UdDgQW
+BBTNPTbSi9fWX281N/ABT1M9WI6XpDAOBgNVHQ8BAf8EBAMCBNAwBQYDK2VwA0EA
+AuXUU8r8+YSyeuKt7smE4ZO8L/gdj+m9nAQEKPj7wGmAtITKGMTeZKbH5dfAVKfH
++PdHZM+tVPFspBXlfVL2Aw==
+-----END CERTIFICATE-----

tests/unittests/resources/pretend-certs/25519-2/public-2.unsigned

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAY7TB/7GfoCtmiOoadzgA7HyBZqpXUiTqSY8vg2M7MEQ=
+-----END PUBLIC KEY-----

tests/unittests/test_repo_signing.py

@@ -5,7 +5,7 @@
 from pytest import fixture
 import hubblestack.utils.signing as sig
 
-@fixture(scope='module', params=['rsa', '448'])
+@fixture(scope='module', params=['rsa', '448', '25519'])
 def cdbt(request):
     yield request.param