Tool for Signing and Verifying Signatures of CloudFormation Templates
Project description
CF-Signer - CloudFormation Signing Utility
Tool for signing and verifying the integrity of CloudFormation templates
Free software: MIT license
Documentation: https://cf-signer.readthedocs.io.
Features
Signing CloudFormation templates by creating a sha256 hash of the file, encrypted with the user’s private key and store base64 form of the signature in the CloudFormation template Metadata section.
Verifying the integrity of CloudFormation templates by looking for the signature in the Metadata, extracting it and verifying.
Signing Flow
The process of signing is based on the following flow:
Generate RSA private key:
openssl genrsa -out key.pem 2048
Get public key from the RSA generated private key:
openssl rsa -in key.pem -outform PEM -pubout -out pubkey.pem
Create a sha256 hash signature, encrypted with the private key:
openssl dgst -sha256 -sign key.pem -out sign.sha256 cf.template
Convert the signature to base64 string:
base64 -i sign.sha256 -o sign.b64
Attach the base64 signature to the CloudFormation template, under the Metadata block (creating one if it doesn’t exist).
Verification Flow
The process of signature verification is based on the following flow:
Detach the signature from the CloudFormation template
Convert the base64 detached signature string to binary format:
base64 -d sign.b64 > sign.sha256
Validate the signature using the public key:
openssl dgst -sha256 -verify pubkey.pem -signature sign.sha256 cf.template
Credits
The signing and verification process was inspired by sgershtein/SignedJSON.
This package was created with Cookiecutter and the audreyr/cookiecutter-pypackage project template.
History
0.0.1 (2021-06-22)
First release on PyPI.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for cf_signer-0.0.1-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | f9be4c74ce2fc9a9f7de239d80bee7aac26595c265382afd4692f73a6b667b03 |
|
MD5 | 6edf58d76076367b09b5e3a7a65a4d38 |
|
BLAKE2b-256 | 7c1afc0957677b67d4708f8288e1d8ba6db11fcde8f46cbbdde924f1ed92c3b0 |