opa-sign(1)

1Open Policy Agent(1)                                      Open Policy Agent(1)
2
3
4

NAME

6       opa-sign - Generate an OPA bundle signature
7
8
9

SYNOPSIS

11       opa sign  [ [...]] [flags]
12
13
14

DESCRIPTION

16       Generate an OPA bundle signature.
17
18
19       The 'sign' command generates a digital signature for policy bundles. It
20       generates a ".signatures.json" file that dictates which files should be
21       included in the bundle, what their SHA hashes are, and is cryptographi‐
22       cally secure.
23
24
25       The signatures file is a JSON file with an array  containing  a  single
26       JSON Web Token (JWT) that encapsulates the signature for the bundle.
27
28
29       The --signing-alg flag can be used to specify the algorithm to sign the
30       token. The 'sign' command uses RS256 (by default) as the signing  algo‐
31       rithm.     See   https://www.openpolicyagent.org/docs/latest/configura‐
32       tion/#keys for a list of supported signing algorithms.
33
34
35       The key to be used for signing the  JWT  MUST  be  provided  using  the
36       --signing-key  flag.   For  example,  for RSA family of algorithms, the
37       command expects a PEM file containing the private key.  For HMAC family
38       of algorithms (eg. HS256), the secret can be provided using the --sign‐
39       ing-key flag.
40
41
42       OPA 'sign' can ONLY be used with the --bundle flag to load  paths  that
43       refer  to  existing  bundle  files  or directories following the bundle
44       structure.
45
46
47              $ opa sign --signing-key /path/to/private_key.pem --bundle foo
48
49
50
51       Where foo has the following structure:
52
53
54              foo/
55                |
56                +-- bar/
57                |     |
58                |     +-- data.json
59                |
60                +-- policy.rego
61                |
62                +-- .manifest
63
64
65
66       This will create a ".signatures.json" file in  the  current  directory.
67       The --output-file-path flag can be used to specify a different location
68       for the ".signatures.json" file.
69
70
71       The content of the ".signatures.json" file is shown below:
72
73
74              {
75                "signatures": [
76                   "eyJhbGciOiJSUzI1NiJ9.eyJmaWxlcyI6W3sibmFtZSI6Ii5tYW5pZmVzdCIsImhhc2giOiIxODc0NWRlNzJjMDFlODBjZDlmNTIwZjQxOGMwMDlhYzRkMmMzZDAyYjE3YTUwZTJkMDQyMTU4YmMzNTJhMzJkIiwiYWxnb3JpdGhtIjoiU0hBLTI1NiJ9LHsibmFtZSI6ImJhci9kYXRhLmpzb24iLCJoYXNoIjoiOTNhMjM5NzFhOTE0ZTVlYWNiZjBhOGQyNTE1NGNkYTMwOWMzYzFjNzJmYmI5OTE0ZDQ3YzYwZjNjYjY4MTU4OCIsImFsZ29yaXRobSI6IlNIQS0yNTYifSx7Im5hbWUiOiJwb2xpY3kucmVnbyIsImhhc2giOiJkMGYyNDJhYWUzNGRiNTRlZjU2NmJlYTRkNDVmY2YxOTcwMGM1ZDhmODdhOWRiOTMyZGZhZDZkMWYwZjI5MWFjIiwiYWxnb3JpdGhtIjoiU0hBLTI1NiJ9XX0.lNsmRqrmT1JI4Z_zpY6IzHRZQAU306PyOjZ6osquixPuTtdSBxgbsdKDcp7Civw3B77BgygVsvx4k3fYr8XCDKChm0uYKScrpFr9_yS6g5mVTQws3KZncZXCQHdupRFoqMS8vXAVgJr52C83AinYWABwH2RYq_B0ZPf_GDzaMgzpep9RlDNecGs57_4zlyxmP2ESU8kjfX8jAA6rYFKeGXJHMD-j4SassoYIzYRv9YkHx8F8Y2ae5Kd5M24Ql0kkvqc_4eO_T9s4nbQ4q5qGHGE-91ND1KVn2avcUyVVPc0-XCR7EH8HnHgCl0v1c7gX1RL7ET7NJbPzfmzQAzk0ZW0dEHI4KZnXSpqy8m-3zAc8kIARm2QwoNEWpy3MWiooPeZVSa9d5iw1aLrbyumfjBP0vCQEPes-Aa6PrARwd5jR9SacO5By0-4emzskvJYRZqbfJ9tXSXDMcAFOAm6kqRPJaj8AO4CyajTC_Lt32_0OLeXqYgNpt3HDqLqGjrb-8fVeQc-hKh0aES8XehQqXj4jMwfsTyj5alsXZm08LwzcFlfQZ7s1kUtmr0_BBNJYcdZUdlu6Qio3LFSRYXNuu6edAO1VH5GKqZISvE1uvDZb2E0Z-rtH-oPp1iSpfvsX47jKJ42LVpI6OahEBri44dzHOIwwm3CIuV8gFzOwR0k"
77                ]
78              }
79
80
81
82       And the decoded JWT payload has the following form:
83
84
85              {
86                "files": [
87                   {
88                     "name": ".manifest",
89                     "hash": "18745de72c01e80cd9f520f418c009ac4d2c3d02b17a50e2d042158bc352a32d",
90                     "algorithm": "SHA-256"
91                   },
92                   {
93                     "name": "policy.rego",
94                     "hash": "d0f242aae34db54ef566bea4d45fcf19700c5d8f87a9db932dfad6d1f0f291ac",
95                     "algorithm": "SHA-256"
96                   },
97                   {
98                     "name": "bar/data.json",
99                     "hash": "93a23971a914e5eacbf0a8d25154cda309c3c1c72fbb9914d47c60f3cb681588",
100                     "algorithm": "SHA-256"
101                   }
102                ]
103              }
104
105
106
107       The "files" field is generated  from  the  files  under  the  directory
108       path(s) provided to the 'sign' command. During bundle signature verifi‐
109       cation, OPA will check each file name (ex. "foo/bar/data.json") in  the
110       "files"  field  exists in the actual bundle. The file content is hashed
111       using SHA256.
112
113
114       To include additional claims in the payload use the --claims-file  flag
115       to provide a JSON file containing optional claims.
116
117
118       For  more  information on the format of the ".signatures.json" file see
119       https://www.openpolicyagent.org/docs/latest/management/#signature-for‐
120       mat.
121
122
123

OPTIONS

125       -b,  --bundle[=false]       load paths as bundle files or root directo‐
126       ries
127
128
129       --claims-file=""      set path of JSON file containing optional  claims
130       (see:        https://openpolicyagent.org/docs/latest/management/#signa‐
131       ture-format)
132
133
134       -h, --help[=false]      help for sign
135
136
137       -o, --output-file-path="."        set  the  location  for  the  .signa‐
138       tures.json file
139
140
141       --signing-alg="RS256"      name of the signing algorithm
142
143
144       --signing-key=""       set  the  secret  (HMAC) or path of the PEM file
145       containing the private key (RSA and ECDSA)
146
147
148       --signing-plugin=""      name of the plugin to use for  signing/verifi‐
149       cation  (see https://openpolicyagent.org/docs/latest/management/#signa‐
150       ture-plugin
151
152
153

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

SEE ALSO