Navigation

CLI Keys

Sign and verify spar archives

The Aperture CLI supports cryptographic signing and verification of spar archives. This ensures the integrity and authenticity of your application builds.

Overview

Spar archives can be signed with a private key during creation and verified with the corresponding public key during extraction or verification. This provides:

  • Integrity: Ensures the archive hasn’t been tampered with
  • Authenticity: Confirms the archive was created by a trusted source
  • Security: Protects your deployment pipeline from malicious modifications

Generating Keys

Generate a key pair for signing and verification:

# Generate a private key
$ openssl genrsa -out private.key 4096


# Extract the public key
$ openssl rsa -in private.key -pubout -out public.key

Signing Archives

Use the --signing-key option when creating archives:

$ aperture spar archive ./dist ./my-app.spar --signing-key ./keys/private.key

The signature is embedded in the archive and can be verified later.

Verifying Archives

Verify Without Extraction

Check an archive’s signature without extracting its contents:

# Verify with a public key
$ aperture spar verify my-app.spar -k ./keys/public.key


# Verify checksums only (no signature verification)
$ aperture spar verify my-app.spar -k checksum

Verify During Extraction

Verify the archive as part of the extraction process:

# Extract and verify with public key
$ aperture spar extract my-app.spar --verify ./keys/public.key


# Extract and verify checksums
$ aperture spar extract my-app.spar --verify checksum

If verification fails, the extraction will be aborted.

Verify During Upload

Verify an archive before uploading to Aperture:

$ aperture build upload ./my-app.spar \
  --version 1.0.0 \
  --verify-key ./keys/public.key

Key Management Best Practices

Storing Private Keys

  • Never commit private keys to version control
  • Use environment variables or secrets managers in CI/CD
  • Restrict access to private keys to authorized personnel only
  • Consider using hardware security modules (HSMs) for production keys

CI/CD Integration

Store your private key as a secret and reference it in your workflow:

# GitHub Actions example
- name: Create signed archive
  env:
    SIGNING_KEY: ${{ secrets.APERTURE_SIGNING_KEY }}
  run: |
    echo "$SIGNING_KEY" > /tmp/private.key
    aperture spar archive ./dist ./build.spar --signing-key /tmp/private.key
    rm /tmp/private.key

Key Rotation

When rotating keys:

  1. Generate a new key pair
  2. Update CI/CD secrets with the new private key
  3. Distribute the new public key to verification systems
  4. Keep the old public key available to verify older archives
  5. Securely destroy the old private key

Verification Modes

ModeCommandUse Case
Signature-k ./public.keyFull cryptographic verification
Checksum-k checksumIntegrity check only (no authenticity)

Troubleshooting

Signature verification failed

  • Ensure you’re using the correct public key that corresponds to the private key used for signing
  • Check that the archive hasn’t been modified after signing - Verify the key file is in the correct format (PEM)

No signature found in archive

  • The archive was created without the --signing-key option - Use -k checksum for integrity verification of unsigned archives

Invalid key format

  • Ensure keys are in PEM format - Private keys should start with -----BEGIN RSA PRIVATE KEY----- or -----BEGIN PRIVATE KEY----- - Public keys should start with -----BEGIN PUBLIC KEY-----

Previous

Enable Autocompletion

Next

Dashboard