clientupdate/distsign: use distinct PEM types for root/signing keys (#9045)

To make key management less error-prone, use different PEM block types for root and signing keys. As a result, separate out most of the Go code between root/signing keys too. Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2025-08-11 13:18:53 +00:00 · 2023-08-23 17:13:03 -06:00
parent 9c07f4f512
commit f61dd12f05
5 changed files with 243 additions and 79 deletions
--- a/release/dist/cli/cli.go
+++ b/release/dist/cli/cli.go
@@ -88,6 +88,8 @@ func CLI(getTargets func(unixpkgs.Signers) ([]dist.Target, error)) *ffcli.Comman
 				ShortHelp:  "Generate root or signing key pair",
 				FlagSet: (func() *flag.FlagSet {
 					fs := flag.NewFlagSet("gen-key", flag.ExitOnError)
+					fs.BoolVar(&genKeyArgs.root, "root", false, "generate a root key")
+					fs.BoolVar(&genKeyArgs.signing, "signing", false, "generate a signing key")
 					fs.StringVar(&genKeyArgs.privPath, "priv-path", "private-key.pem", "output path for the private key")
 					fs.StringVar(&genKeyArgs.pubPath, "pub-path", "public-key.pem", "output path for the public key")
 					return fs
@@ -190,12 +192,25 @@ func parseSigningKey(path string) (crypto.Signer, error) {
 }

 var genKeyArgs struct {
+	root     bool
+	signing  bool
 	privPath string
 	pubPath  string
 }

 func runGenKey(ctx context.Context) error {
-	priv, pub, err := distsign.GenerateKey()
+	var pub, priv []byte
+	var err error
+	switch {
+	case genKeyArgs.root && genKeyArgs.signing:
+		return errors.New("only one of --root or --signing can be set")
+	case !genKeyArgs.root && !genKeyArgs.signing:
+		return errors.New("set either --root or --signing")
+	case genKeyArgs.root:
+		priv, pub, err = distsign.GenerateRootKey()
+	case genKeyArgs.signing:
+		priv, pub, err = distsign.GenerateSigningKey()
+	}
 	if err != nil {
 		return err
 	}