Lucet tools have the ability to verify digital signatures of their input, and produce signed output, ensuring continuous trust even if assets have to transit over unsecured networks.
lucetccan be configured to only compile source code (
.watfiles) if a signature is present, and can be verified using a pre-configured public key.
- Shared libraries produced by the
lucetccompiler can themselves embed a signature, computed using the same secret key as the source code, or a different key.
lucet-wasiruntime can accept to run native code from
lucetconly if it embeds a valid signature for a pre-configured public key.
Secret keys can be protected by a password for interactive use, or be password-less for automation.
The Lucet container ships with
Please enter a password to protect the secret key. Password: Password (one more time): Deriving a key from the password in order to encrypt the secret key... done The secret key was saved as /Users/j/.rsign/rsign.key - Keep it secret! The public key was saved as rsign.pub - That one can be public. Files signed using this key pair can be verified with the following command: rsign verify <file> -P RWRJwC2NawX3xnBK6mvAAehmFWQ6Z1PLXoyIz78LYkLsklDdaeHEcAU5
rsign sign example.wasm
Password: Deriving a key from the password and decrypting the secret key... done
The resulting signature is stored into a file with the same name as the file having been signed, with a
.minisig suffix (in the example above:
Source files can be verified by adding the following command-line switches to
--signature-verify --signature-pk=<path to the public key file>
lucetc assumes that a source file and its signature are in the same directory.
Compilation will only start if the signature is valid for the given public key.
Shared libraries produced by the
lucetc compiler can embed a signature.
This requires a secret key, that can be either created using a 3rd party minisign implementation, or by
lucetc --signature-keygen \ --signature-sk <file to store the secret key into> \ --signature-pk <file to store the public key into>
By default, secret keys are protected by a password. If this is inconvenient,
lucetc also supports
raw, unencrypted secret keys.
In order to use raw keys, add a
raw: prefix before the file name (ex:
In order to embed a signature in a shared object produced by
lucetc-wasi, the following command-line switches should be present:
--signature-create --signature-sk <path to the secret key file>
If the secret key was encrypted with a password, the password will be asked interactively.
Signatures are directly stored in the
Key pairs used for source verification and for signing compiled objects can be different, and both operations are optional.
lucet-wasi can be configured to run only trusted native code, that includes a valid signature for a pre-configured key. In order to do so, the following command-line switches have to be present:
--signature-verify --signature-pk <path to the public key file>