Skip to main content

OpenSSH-based signer for Swarmauri

Project description

Swarmauri Logo

PyPI - Downloads Hits PyPI - Python Version PyPI - License PyPI - swarmauri_signing_ssh Discord

swarmauri_signing_ssh

An OpenSSH-based signer implementing the ISigning interface for detached signatures over raw bytes and canonicalized envelopes.

Features:

  • Detached signatures powered by OpenSSH ssh-keygen -Y for Ed25519, RSA and ECDSA keys.
  • Accepts private keys from filesystem paths or in-memory PEM blobs.
  • JSON canonicalization built in with optional CBOR canonicalization via cbor2.
  • Envelope helpers for canonicalized signing and verification workflows.

Requirements

  • OpenSSH ssh-keygen (v8.2 or newer with -Y support) must be available on PATH.
  • Install the optional cbor extra (swarmauri_signing_ssh[cbor]) to enable CBOR canonicalization.

Installation

pip

pip install swarmauri_signing_ssh

Enable CBOR canonicalization when desired:

pip install "swarmauri_signing_ssh[cbor]"

uv

uv add swarmauri_signing_ssh
uv add "swarmauri_signing_ssh[cbor]"

Poetry

poetry add swarmauri_signing_ssh
poetry add swarmauri_signing_ssh -E cbor

Usage

Supported key references

Provide the signer with a KeyRef dictionary:

  • {"kind": "path", "priv": "/path/to/id_ed25519", "identity": "optional"} references a private key on disk.
  • {"kind": "pem", "priv": "-----BEGIN OPENSSH PRIVATE KEY-----..."} accepts an OpenSSH private key as text/bytes. The key material is written to a secure temporary file for signing.

The signer derives the corresponding public key line, fingerprint (kid) and algorithm token automatically.

Verification options

  • Pass one or more OpenSSH public key lines via opts["pubkeys"] when calling verify_bytes or verify_envelope. Verification fails immediately when the list is missing or empty.
  • Override the namespace used by ssh-keygen -Y through opts["namespace"] (defaults to "file").
  • Supply the expected signer identity with opts["identity"]. Identities default to signer{i} based on index order.
  • Restrict acceptable signatures via the require mapping. Supported keys are "algs", "kids" and "min_signers".

README example: sign and verify an SSH signature

import asyncio
import subprocess
import tempfile
from pathlib import Path

from swarmauri_signing_ssh import SshEnvelopeSigner


async def main() -> bool:
    signer = SshEnvelopeSigner()

    with tempfile.TemporaryDirectory() as tmpdir:
        tmpdir_path = Path(tmpdir)
        priv_path = tmpdir_path / "id_ed25519"
        subprocess.run(
            ["ssh-keygen", "-t", "ed25519", "-N", "", "-f", str(priv_path)],
            check=True,
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
        )
        pubkey_line = priv_path.with_suffix(".pub").read_text(encoding="utf-8").strip()

        key = {"kind": "path", "priv": str(priv_path), "identity": "readme-demo"}
        payload = b"hello ssh signatures"

        signatures = await signer.sign_bytes(key, payload)
        return await signer.verify_bytes(
            payload,
            signatures,
            opts={"pubkeys": [pubkey_line], "identity": "readme-demo"},
        )


if __name__ == "__main__":  # pragma: no cover - README execution path
    print(asyncio.run(main()))

Running the script prints True once verification succeeds.

Envelope workflows

Use sign_envelope / verify_envelope alongside canonicalize_envelope to operate on structured payloads. JSON canonicalization is always available; enable the cbor extra to emit canonical CBOR bytes.

RSA keys default to sha256 hashing but accept hashalg="sha512" via either the key reference or opts. All signatures are detached (features include "detached_only"), and multiple signatures can be verified in a single call.

Entry Point

The signer registers under the swarmauri.signings entry point as SshEnvelopeSigner.

Want to help?

If you want to contribute to swarmauri-sdk, read up on our guidelines for contributing that will help you get started.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

swarmauri_signing_ssh-0.11.0.dev1.tar.gz (11.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

swarmauri_signing_ssh-0.11.0.dev1-py3-none-any.whl (12.9 kB view details)

Uploaded Python 3

File details

Details for the file swarmauri_signing_ssh-0.11.0.dev1.tar.gz.

File metadata

  • Download URL: swarmauri_signing_ssh-0.11.0.dev1.tar.gz
  • Upload date:
  • Size: 11.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_signing_ssh-0.11.0.dev1.tar.gz
Algorithm Hash digest
SHA256 5dedd940140f3eee9800413bb6d511872e533fa46755a6294b99c50f97f5956d
MD5 117a572b51130513d499c40a8de85fc6
BLAKE2b-256 0c0f03b58e3ab65dd4436fa50cbd85756dfabc15edfb2dd36660ce34f9afc58c

See more details on using hashes here.

File details

Details for the file swarmauri_signing_ssh-0.11.0.dev1-py3-none-any.whl.

File metadata

  • Download URL: swarmauri_signing_ssh-0.11.0.dev1-py3-none-any.whl
  • Upload date:
  • Size: 12.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_signing_ssh-0.11.0.dev1-py3-none-any.whl
Algorithm Hash digest
SHA256 869e9165ef66e2460b51b1724c06caf3ec6a5ac6586628277c2be0cadb2bcc8b
MD5 570b5cdca45d4e81e83b4d6feb2ff98c
BLAKE2b-256 96b56de0c75d88f17c8daf88bfd2029e42b1c6cd984dfd63f5183bf356c1f7fa

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page