signing-tool 3.6.1rc2__tar.gz

signing_tool-3.6.1rc2/LICENSE

@@ -0,0 +1,5 @@
+Copyright (c) 2026 Laavat Oy
+
+All rights reserved.
+
+This software is the proprietary work of Laavat Oy. Use, reproduction, or distribution of this software, in whole or in part, is prohibited without the express prior written permission of Laavat Oy.

signing_tool-3.6.1rc2/MANIFEST.in

@@ -0,0 +1,10 @@
+include README.md
+include LICENSE
+include ../RELEASE-NOTES.md
+recursive-include LICENSES *
+graft signingtool
+global-exclude __pycache__
+global-exclude *.py[cod]
+global-exclude *.so
+global-exclude *.dylib
+global-exclude *.pyd

signing_tool-3.6.1rc2/PKG-INFO

@@ -0,0 +1,18 @@
+Metadata-Version: 2.4
+Name: signing-tool
+Version: 3.6.1rc2
+Summary: Laavat Signing Solution CLI Tool
+Requires-Python: >=3.8
+License-File: LICENSE
+Requires-Dist: certifi>=2017.4.17
+Requires-Dist: python-dateutil>=2.1
+Requires-Dist: six>=1.10
+Requires-Dist: urllib3>=1.23
+Requires-Dist: requests>=2.25.1
+Requires-Dist: jwcrypto>=1.0
+Requires-Dist: configparser>=5.0.2
+Requires-Dist: cryptography>=3.4
+Provides-Extra: dev
+Requires-Dist: autopep8>=1.5.7; extra == "dev"
+Requires-Dist: pycodestyle>=2.7.0; extra == "dev"
+Dynamic: license-file

signing_tool-3.6.1rc2/README.md

@@ -0,0 +1,84 @@
+# Laavat Signing Solution CLI Tool
+
+> ⚠️ **Reference Implementation Only** — This is a reference implementation and should **not be used in production**. Security improvements are planned before this tool is productized. Use this for evaluation and development purposes only.
+
+The `signing-tool` package provides the Laavat Signing Solution command-line client.
+It supports client registration, product management, image signing, secrets management, and more via the SaaS API.
+
+## Installation
+
+Install from PyPI when released:
+
+```bash
+pip install signing-tool
+```
+
+Install from source during development:
+
+```bash
+cd clients/python3
+python3 -m pip install .
+```
+
+## Quick Start
+
+Display help:
+
+```bash
+signing-tool --help
+```
+
+### Recommended usage
+
+Use a configuration file to keep credentials out of command history and logs. Create the file with `config-init`, then run the CLI using the `-n` option.
+
+```bash
+config-init -n test.ini -t "$TOKEN" -s -a https://app.laavat.io/<CustomerName>/api/v1
+signing-tool -n test.ini product getall
+```
+
+### Alternative usage
+
+You can also pass settings directly on the command line, but this is less secure because tokens may become visible in shell history or process listings.
+
+```bash
+signing-tool -c -t "$TOKEN" -a https://app.laavat.io/<CustomerName>/api/v1 product getall
+```
+
+## Configuration Options
+
+Option 1: create an ini config file using `config-init`:
+
+```bash
+config-init -n test.ini -t "$TOKEN" -s -a https://app.laavat.io/<CustomerName>/api/v1
+signing-tool -n test.ini product getall
+```
+
+Option 2: pass settings directly on the command line (not recommended for secrets):
+
+```bash
+signing-tool -c -t "$TOKEN" -a https://app.laavat.io/<CustomerName>/api/v1 product getall
+```
+
+## Example Signing Commands
+
+HAB image signing with config file:
+
+```bash
+signing-tool -n test.ini imagesigning add SignHABIMG -P <product-id> --operid <operator-id> -p <payload>
+```
+
+OCI signing with token and API address:
+
+```bash
+signing-tool -c -t "$TOKEN" -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning add SignOCI -P <product-id> --operid <operator-id> -A <artifact>
+```
+
+## Requirements
+
+- Python 3.8 or newer
+
+## Packaging
+
+This package is configured for PyPI distribution using `pyproject.toml` and `setuptools`.
+Read the `pyproject.toml` file for package metadata and published package configuration.

signing_tool-3.6.1rc2/pyproject.toml

@@ -0,0 +1,36 @@
+[build-system]
+requires = ["setuptools>=61.0"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "signing-tool"
+dynamic = ["version"]
+description = "Laavat Signing Solution CLI Tool"
+requires-python = ">=3.8"
+dependencies = [
+    "certifi>=2017.4.17",
+    "python-dateutil>=2.1",
+    "six>=1.10",
+    "urllib3>=1.23",
+    "requests>=2.25.1",
+    "jwcrypto>=1.0",
+    "configparser>=5.0.2",
+    "cryptography>=3.4",
+]
+
+[project.optional-dependencies]
+dev = [
+    "autopep8>=1.5.7",
+    "pycodestyle>=2.7.0",
+]
+
+[project.scripts]
+signing-tool = "signingtool.cli:main"
+config-init = "signingtool.config_init:main"
+
+[tool.setuptools.packages.find]
+where = ["."]
+include = ["signingtool*"]
+
+[tool.setuptools.dynamic]
+version = {attr = "signingtool.version.__version__"}

signing_tool-3.6.1rc2/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

signing_tool-3.6.1rc2/signing_tool.egg-info/PKG-INFO

@@ -0,0 +1,18 @@
+Metadata-Version: 2.4
+Name: signing-tool
+Version: 3.6.1rc2
+Summary: Laavat Signing Solution CLI Tool
+Requires-Python: >=3.8
+License-File: LICENSE
+Requires-Dist: certifi>=2017.4.17
+Requires-Dist: python-dateutil>=2.1
+Requires-Dist: six>=1.10
+Requires-Dist: urllib3>=1.23
+Requires-Dist: requests>=2.25.1
+Requires-Dist: jwcrypto>=1.0
+Requires-Dist: configparser>=5.0.2
+Requires-Dist: cryptography>=3.4
+Provides-Extra: dev
+Requires-Dist: autopep8>=1.5.7; extra == "dev"
+Requires-Dist: pycodestyle>=2.7.0; extra == "dev"
+Dynamic: license-file

signing_tool-3.6.1rc2/signing_tool.egg-info/SOURCES.txt

@@ -0,0 +1,40 @@
+LICENSE
+MANIFEST.in
+README.md
+pyproject.toml
+signing_tool.egg-info/PKG-INFO
+signing_tool.egg-info/SOURCES.txt
+signing_tool.egg-info/dependency_links.txt
+signing_tool.egg-info/entry_points.txt
+signing_tool.egg-info/requires.txt
+signing_tool.egg-info/top_level.txt
+signingtool/__init__.py
+signingtool/apiconfig.py
+signingtool/ca.py
+signingtool/cli.py
+signingtool/client.py
+signingtool/config_init.py
+signingtool/encrypt.py
+signingtool/escrow.py
+signingtool/fusemap.py
+signingtool/group.py
+signingtool/handler.py
+signingtool/metadata.py
+signingtool/parser_ca.py
+signingtool/parser_client.py
+signingtool/parser_escrow.py
+signingtool/parser_groups.py
+signingtool/parser_imagesigning.py
+signingtool/parser_product.py
+signingtool/parser_production.py
+signingtool/parser_profile.py
+signingtool/parser_secretsfusemap.py
+signingtool/parsers.py
+signingtool/product.py
+signingtool/production.py
+signingtool/profile.py
+signingtool/secret.py
+signingtool/sign.py
+signingtool/state.py
+signingtool/version.py
+signingtool/version.py.bak2

signing_tool-3.6.1rc2/signing_tool.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

signing_tool-3.6.1rc2/signing_tool.egg-info/entry_points.txt

@@ -0,0 +1,3 @@
+[console_scripts]
+config-init = signingtool.config_init:main
+signing-tool = signingtool.cli:main

signing_tool-3.6.1rc2/signing_tool.egg-info/requires.txt

@@ -0,0 +1,12 @@
+certifi>=2017.4.17
+python-dateutil>=2.1
+six>=1.10
+urllib3>=1.23
+requests>=2.25.1
+jwcrypto>=1.0
+configparser>=5.0.2
+cryptography>=3.4
+
+[dev]
+autopep8>=1.5.7
+pycodestyle>=2.7.0

signing_tool-3.6.1rc2/signing_tool.egg-info/top_level.txt

@@ -0,0 +1 @@
+signingtool

signing_tool-3.6.1rc2/signingtool/apiconfig.py

@@ -0,0 +1,35 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from __future__ import print_function
+
+import configparser
+
+
+class APIConfig:
+    def __init__(self, skipssl=True, address="", token=""):
+        self.skipssl = skipssl
+        self.address = address
+        self.token = token
+
+    def ParseFromFile(self, fn: str):
+        config = configparser.ConfigParser()
+        config.read(fn)
+
+        self.skipssl = config.getboolean("service", "skipssl")
+        self.address = config.get("service", "url")
+        self.token = config.get("service", "token")
+
+    def ParseFromCmdLine(self, args: "list[str]"):
+        pass
+
+
+def GetAPIConfig(args) -> APIConfig:
+    apiconfig = APIConfig()
+
+    if args.c:
+        apiconfig = APIConfig(args.skipssl, args.a, args.t)
+    else:
+        apiconfig.ParseFromFile(args.n)
+
+    return apiconfig

signing_tool-3.6.1rc2/signingtool/ca.py

@@ -0,0 +1,121 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from __future__ import print_function
+
+import base64
+import json
+import os
+from pprint import pprint
+
+import SigningService
+from SigningService.rest import ApiException
+
+from signingtool.apiconfig import APIConfig
+from signingtool.state import stateEnumToString
+
+
+def getca(apiconfig: APIConfig, caId: str, page: int):
+    # Configure OAuth2 access token for authorization:
+    configuration = SigningService.Configuration()
+    if apiconfig.skipssl:
+        configuration.verify_ssl = False
+    configuration.host = apiconfig.address
+    configuration.access_token = apiconfig.token
+
+    api_instance = SigningService.PkiApi(
+        SigningService.ApiClient(configuration))
+
+    try:
+        result = ""
+
+        if caId:
+            result = api_instance.pki_ca_get_by_id(id=caId)
+        else:
+            pg = 0
+            if page:
+                pg = page
+            result = api_instance.pki_cas_get_all(page=pg)
+        print(json.dumps(result.to_dict(), indent=4, sort_keys=True))
+    except ApiException as e:
+        print("Exception when calling PKIApi: %s\n" % e)
+    except Exception as e:
+        print(f"Exception: {type(e).__name__}: {e}\n")
+
+    return
+
+
+def getcsr(apiconfig: APIConfig, caId: str, outputFn: str):
+    # Configure OAuth2 access token for authorization:
+    configuration = SigningService.Configuration()
+    if apiconfig.skipssl:
+        configuration.verify_ssl = False
+    configuration.host = apiconfig.address
+    configuration.access_token = apiconfig.token
+
+    api_instance = SigningService.PkiApi(
+        SigningService.ApiClient(configuration))
+
+    try:
+        if outputFn:
+            if os.path.exists(outputFn):
+                print("Error: File already exists: %s\n" % outputFn)
+            else:
+                result = api_instance.pki_ca_get_by_id(id=caId)
+                csr = result.to_dict().get("csr")
+                with open(outputFn, "wb", 600) as f:
+                    f.write(base64.decodebytes(bytes(csr, "ascii")))
+                print("Payload written to file: {}".format(outputFn))
+    except ApiException as e:
+        print("Exception when calling PKIApi: %s\n" % e)
+    except Exception as e:
+        print(f"Exception: {type(e).__name__}: {e}\n")
+
+    return
+
+
+def uploadchain(apiconfig: APIConfig, caId: str, chainFn: str):
+    # Configure OAuth2 access token for authorization:
+    configuration = SigningService.Configuration()
+    if apiconfig.skipssl:
+        configuration.verify_ssl = False
+    configuration.host = apiconfig.address
+    configuration.access_token = apiconfig.token
+
+    api_instance = SigningService.PkiApi(
+        SigningService.ApiClient(configuration))
+
+    try:
+        chain = base64.encodebytes(open(chainFn, "rb").read()).decode("ascii")
+        patch = SigningService.PatchCa(chain=chain)
+        result = api_instance.ca_ca_patch_add(id=caId, body=patch)
+        print(result)
+        print("Chain upload")
+    except ApiException as e:
+        print("Exception when calling PKIApi: %s\n" % e)
+    except Exception as e:
+        print(f"Exception: {type(e).__name__}: {e}\n")
+
+    return
+
+
+def getcrl(apiconfig: APIConfig, caId: str):
+    # Configure OAuth2 access token for authorization:
+    configuration = SigningService.Configuration()
+    if apiconfig.skipssl:
+        configuration.verify_ssl = False
+    configuration.host = apiconfig.address
+    configuration.access_token = apiconfig.token
+
+    api_instance = SigningService.PkiApi(
+        SigningService.ApiClient(configuration))
+
+    try:
+        result = api_instance.ca_getcrl(id=caId)
+        print(result.crl)
+    except ApiException as e:
+        print("Exception when calling PKIApi: %s\n" % e)
+    except Exception as e:
+        print(f"Exception: {type(e).__name__}: {e}\n")
+
+    return

signing_tool-3.6.1rc2/signingtool/cli.py

@@ -0,0 +1,20 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from __future__ import print_function
+
+import sys
+from signingtool.parsers import ParseArgs
+
+
+def main():
+    if len(sys.argv) == 1:
+        # No arguments provided, show help by adding -h
+        sys.argv.append('-h')
+
+    parser, args = ParseArgs()
+    args.func(args)
+
+
+if __name__ == "__main__":
+    main()

signing_tool-3.6.1rc2/signingtool/client.py

@@ -0,0 +1,155 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from __future__ import print_function
+
+import base64
+import json
+import os
+from pprint import pprint
+
+import SigningService
+from SigningService.rest import ApiException
+
+from signingtool.apiconfig import APIConfig
+from signingtool.state import stateEnumToString
+
+
+def addclient(
+    apiconfig: APIConfig,
+    name: str,
+    desc: str,
+    pubKeyFn: str,
+    user: str,
+    productId: str,
+    clientType: str,
+    certFn: str,
+):
+    # Configure OAuth2 access token for authorization:
+    configuration = SigningService.Configuration()
+    if apiconfig.skipssl:
+        configuration.verify_ssl = False
+    configuration.host = apiconfig.address
+    configuration.access_token = apiconfig.token
+
+    pId = productId
+
+    api_instance = SigningService.RegistrationsClientsApi(
+        SigningService.ApiClient(configuration)
+    )
+
+    try:
+        pubkey = ""
+        if pubKeyFn:
+            pubkey = base64.encodebytes(open(pubKeyFn, "rb").read()).decode("ascii")
+        cert = ""
+        if certFn:
+            cert = base64.encodebytes(open(certFn, "rb").read()).decode("ascii")
+
+        req = SigningService.ClientRequest(
+            name=name,
+            description=desc,
+            encryption_public_key=pubkey,
+            client_user=user,
+            id_product=pId,
+            client_type=clientType,
+            client_certificate=cert,
+        )
+        result = api_instance.registrations_clients_post_add(req)
+        print(json.dumps(result.to_dict(), indent=4, sort_keys=True))
+        print(
+            "Client Add request sent. Request ID: {} state: {}".format(
+                result.to_dict()["id"], stateEnumToString(result.to_dict()["state"])
+            )
+        )
+
+    except ApiException as e:
+        print("Exception when calling Api: %s\n" % e)
+    except Exception as e:
+        print(f"Exception: {type(e).__name__}: {e}\n")
+
+    return
+
+
+def approveclient(apiconfig: APIConfig, rId: str):
+    # Configure OAuth2 access token for authorization:
+    configuration = SigningService.Configuration()
+    if apiconfig.skipssl:
+        configuration.verify_ssl = False
+    configuration.host = apiconfig.address
+    configuration.access_token = apiconfig.token
+
+    api_instance = SigningService.RegistrationsClientsApi(
+        SigningService.ApiClient(configuration)
+    )
+    try:
+        req = SigningService.Approval(request_id=rId, decision="APPROVE")
+        result = api_instance.registrations_clients_post_approve(req)
+        # TODO: we should probably check if it actually succeeded but the result object
+        # has nothing. Might require an api change
+        print("Client approved")
+    except ApiException as e:
+        print("Exception when calling Api: %s\n" % e)
+    except Exception as e:
+        print(f"Exception: {type(e).__name__}: {e}\n")
+    return
+
+
+def getclient(apiconfig: APIConfig, clientId: str, page: int):
+    # Configure OAuth2 access token for authorization:
+    configuration = SigningService.Configuration()
+    if apiconfig.skipssl:
+        configuration.verify_ssl = False
+    configuration.host = apiconfig.address
+    configuration.access_token = apiconfig.token
+
+    api_instance = SigningService.RegistrationsClientsApi(
+        SigningService.ApiClient(configuration)
+    )
+
+    try:
+        result = ""
+        if clientId:
+            result = api_instance.registrations_clients_get_clientbyid(clientId)
+        else:
+            pg = 0
+            if page:
+                pg = page
+            result = api_instance.registrations_clients_get_all(page=pg)
+
+        print(json.dumps(result.to_dict(), indent=4, sort_keys=True))
+    except ApiException as e:
+        print("Exception when calling Api: %s\n" % e)
+    except Exception as e:
+        print(f"Exception: {type(e).__name__}: {e}\n")
+    return
+
+
+def getcapproval(apiconfig: APIConfig, approvalId: str, page: int):
+    # Configure OAuth2 access token for authorization:
+    configuration = SigningService.Configuration()
+    if apiconfig.skipssl:
+        configuration.verify_ssl = False
+    configuration.host = apiconfig.address
+    configuration.access_token = apiconfig.token
+
+    api_instance = SigningService.RegistrationsClientsApi(
+        SigningService.ApiClient(configuration)
+    )
+
+    try:
+        result = ""
+        if approvalId:
+            result = api_instance.registrations_clients_get_approvalbyid(approvalId)
+        else:
+            pg = 0
+            if page:
+                pg = page
+            result = api_instance.registrations_clients_get_approvals(page=pg)
+
+        print(json.dumps(result.to_dict(), indent=4, sort_keys=True))
+    except ApiException as e:
+        print("Exception when calling Api: %s\n" % e)
+    except Exception as e:
+        print(f"Exception: {type(e).__name__}: {e}\n")
+    return

signing_tool-3.6.1rc2/signingtool/config_init.py

@@ -0,0 +1,77 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from __future__ import print_function
+
+import configparser
+import getopt
+import os
+import sys
+
+
+def generateCfg(config_file: str, token: str, skipTLSVerification: bool, address: str):
+
+    try:
+        if not os.path.isfile(config_file):
+            # Create the configuration file as it doesn't exist yet
+            cfgfile = open(config_file, "w")
+
+            # Add content to the file
+            Config = configparser.ConfigParser()
+            Config.add_section("service")
+            Config.set("service", "url", address)
+            Config.set("service", "token", token)
+            Config.set("service", "skipSSL", str(skipTLSVerification))
+            Config.write(cfgfile)
+            cfgfile.close()
+            print("Config file written")
+        else:
+            print("ERROR: File already exists")
+
+    except Exception as e:
+        print("Exception when calling create config file: %s\n" % e)
+
+
+def main():
+    configfile_name = ""
+    skipTLSVerification = False
+    address = "https://localhost/api/v1"
+
+    options, remainder = getopt.getopt(
+        sys.argv[1:],
+        "n:t:sa:",
+        [
+            "filename=",
+            "token=",
+            "skipTlsVerification",
+            "address=",
+        ],
+    )
+
+    if len(sys.argv) < 7:
+        print(
+            "Usage: config-init -n filename -t token -s -a address",
+            file=sys.stderr,
+        )
+        sys.exit()
+
+    for opt, arg in options:
+        if opt in ("-n", "--filename"):
+            configfile_name = arg
+        if opt in ("-t", "--token"):
+            token = arg
+        elif opt in ("-s", "--skipTlsVerification"):
+            skipTLSVerification = True
+        elif opt in ("-a", "--address"):
+            address = arg
+
+    generateCfg(
+        configfile_name,
+        token,
+        skipTLSVerification,
+        address,
+    )
+
+
+if __name__ == "__main__":
+    main()