1Open Policy Agent(1) Open Policy Agent(1)
2
3
4
6 opa-sign - Generate an OPA bundle signature
7
8
9
11 opa sign [ [...]] [flags]
12
13
14
16 Generate an OPA bundle signature.
17
18
19 The 'sign' command generates a digital signature for policy bundles. It
20 generates a ".signatures.json" file that dictates which files should be
21 included in the bundle, what their SHA hashes are, and is cryptographi‐
22 cally secure.
23
24
25 The signatures file is a JSON file with an array containing a single
26 JSON Web Token (JWT) that encapsulates the signature for the bundle.
27
28
29 The --signing-alg flag can be used to specify the algorithm to sign the
30 token. The 'sign' command uses RS256 (by default) as the signing algo‐
31 rithm. See https://www.openpolicyagent.org/docs/latest/configura‐
32 tion/#keys for a list of supported signing algorithms.
33
34
35 The key to be used for signing the JWT MUST be provided using the
36 --signing-key flag. For example, for RSA family of algorithms, the
37 command expects a PEM file containing the private key. For HMAC family
38 of algorithms (eg. HS256), the secret can be provided using the --sign‐
39 ing-key flag.
40
41
42 OPA 'sign' can ONLY be used with the --bundle flag to load paths that
43 refer to existing bundle files or directories following the bundle
44 structure.
45
46
47 $ opa sign --signing-key /path/to/private_key.pem --bundle foo
48
49
50
51 Where foo has the following structure:
52
53
54 foo/
55 |
56 +-- bar/
57 | |
58 | +-- data.json
59 |
60 +-- policy.rego
61 |
62 +-- .manifest
63
64
65
66 This will create a ".signatures.json" file in the current directory.
67 The --output-file-path flag can be used to specify a different location
68 for the ".signatures.json" file.
69
70
71 The content of the ".signatures.json" file is shown below:
72
73
74 {
75 "signatures": [
76 "eyJhbGciOiJSUzI1NiJ9.eyJmaWxlcyI6W3sibmFtZSI6Ii5tYW5pZmVzdCIsImhhc2giOiIxODc0NWRlNzJjMDFlODBjZDlmNTIwZjQxOGMwMDlhYzRkMmMzZDAyYjE3YTUwZTJkMDQyMTU4YmMzNTJhMzJkIiwiYWxnb3JpdGhtIjoiU0hBLTI1NiJ9LHsibmFtZSI6ImJhci9kYXRhLmpzb24iLCJoYXNoIjoiOTNhMjM5NzFhOTE0ZTVlYWNiZjBhOGQyNTE1NGNkYTMwOWMzYzFjNzJmYmI5OTE0ZDQ3YzYwZjNjYjY4MTU4OCIsImFsZ29yaXRobSI6IlNIQS0yNTYifSx7Im5hbWUiOiJwb2xpY3kucmVnbyIsImhhc2giOiJkMGYyNDJhYWUzNGRiNTRlZjU2NmJlYTRkNDVmY2YxOTcwMGM1ZDhmODdhOWRiOTMyZGZhZDZkMWYwZjI5MWFjIiwiYWxnb3JpdGhtIjoiU0hBLTI1NiJ9XX0.lNsmRqrmT1JI4Z_zpY6IzHRZQAU306PyOjZ6osquixPuTtdSBxgbsdKDcp7Civw3B77BgygVsvx4k3fYr8XCDKChm0uYKScrpFr9_yS6g5mVTQws3KZncZXCQHdupRFoqMS8vXAVgJr52C83AinYWABwH2RYq_B0ZPf_GDzaMgzpep9RlDNecGs57_4zlyxmP2ESU8kjfX8jAA6rYFKeGXJHMD-j4SassoYIzYRv9YkHx8F8Y2ae5Kd5M24Ql0kkvqc_4eO_T9s4nbQ4q5qGHGE-91ND1KVn2avcUyVVPc0-XCR7EH8HnHgCl0v1c7gX1RL7ET7NJbPzfmzQAzk0ZW0dEHI4KZnXSpqy8m-3zAc8kIARm2QwoNEWpy3MWiooPeZVSa9d5iw1aLrbyumfjBP0vCQEPes-Aa6PrARwd5jR9SacO5By0-4emzskvJYRZqbfJ9tXSXDMcAFOAm6kqRPJaj8AO4CyajTC_Lt32_0OLeXqYgNpt3HDqLqGjrb-8fVeQc-hKh0aES8XehQqXj4jMwfsTyj5alsXZm08LwzcFlfQZ7s1kUtmr0_BBNJYcdZUdlu6Qio3LFSRYXNuu6edAO1VH5GKqZISvE1uvDZb2E0Z-rtH-oPp1iSpfvsX47jKJ42LVpI6OahEBri44dzHOIwwm3CIuV8gFzOwR0k"
77 ]
78 }
79
80
81
82 And the decoded JWT payload has the following form:
83
84
85 {
86 "files": [
87 {
88 "name": ".manifest",
89 "hash": "18745de72c01e80cd9f520f418c009ac4d2c3d02b17a50e2d042158bc352a32d",
90 "algorithm": "SHA-256"
91 },
92 {
93 "name": "policy.rego",
94 "hash": "d0f242aae34db54ef566bea4d45fcf19700c5d8f87a9db932dfad6d1f0f291ac",
95 "algorithm": "SHA-256"
96 },
97 {
98 "name": "bar/data.json",
99 "hash": "93a23971a914e5eacbf0a8d25154cda309c3c1c72fbb9914d47c60f3cb681588",
100 "algorithm": "SHA-256"
101 }
102 ]
103 }
104
105
106
107 The "files" field is generated from the files under the directory
108 path(s) provided to the 'sign' command. During bundle signature verifi‐
109 cation, OPA will check each file name (ex. "foo/bar/data.json") in the
110 "files" field exists in the actual bundle. The file content is hashed
111 using SHA256.
112
113
114 To include additional claims in the payload use the --claims-file flag
115 to provide a JSON file containing optional claims.
116
117
118 For more information on the format of the ".signatures.json" file see
119 https://www.openpolicyagent.org/docs/latest/management/#signature-for‐
120 mat.
121
122
123
125 -b, --bundle[=false] load paths as bundle files or root directo‐
126 ries
127
128
129 --claims-file="" set path of JSON file containing optional claims
130 (see: https://openpolicyagent.org/docs/latest/management/#signature-
131 format)
132
133
134 -h, --help[=false] help for sign
135
136
137 -o, --output-file-path="." set the location for the .signa‐
138 tures.json file
139
140
141 --signing-alg="RS256" name of the signing algorithm
142
143
144 --signing-key="" set the secret (HMAC) or path of the PEM file
145 containing the private key (RSA and ECDSA)
146
147
148 --signing-plugin="" name of the plugin to use for signing/verifi‐
149 cation (see https://openpolicyagent.org/docs/latest/management/#signa‐
150 ture-plugin
151
152
153
155 opa(1)
156
157
158
159 Jan 2023 Open Policy Agent(1)