cf-signer 0.0.1

Tool for Signing and Verifying Signatures of CloudFormation Templates

CF-Signer - CloudFormation Signing Utility

Tool for signing and verifying the integrity of CloudFormation templates

• Free software: MIT license

• Documentation: https://cf-signer.readthedocs.io.

Features

• Signing CloudFormation templates by creating a sha256 hash of the file, encrypted with the user’s private key and store base64 form of the signature in the CloudFormation template Metadata section.

• Verifying the integrity of CloudFormation templates by looking for the signature in the Metadata, extracting it and verifying.

Signing Flow

The process of signing is based on the following flow:

• Generate RSA private key:

  openssl genrsa -out key.pem 2048

• Get public key from the RSA generated private key:

  openssl rsa -in key.pem -outform PEM -pubout -out pubkey.pem

• Create a sha256 hash signature, encrypted with the private key:

  openssl dgst -sha256 -sign key.pem -out sign.sha256 cf.template

• Convert the signature to base64 string:

  base64 -i sign.sha256 -o sign.b64

• Attach the base64 signature to the CloudFormation template, under the Metadata block (creating one if it doesn’t exist).

Verification Flow

The process of signature verification is based on the following flow:

• Detach the signature from the CloudFormation template

• Convert the base64 detached signature string to binary format:

  base64 -d sign.b64 > sign.sha256

• Validate the signature using the public key:

  openssl dgst -sha256 -verify pubkey.pem -signature sign.sha256 cf.template

Credits

• The signing and verification process was inspired by sgershtein/SignedJSON.

• This package was created with Cookiecutter and the audreyr/cookiecutter-pypackage project template.

History

0.0.1 (2021-06-22)

• First release on PyPI.