{"id":16880017,"url":"https://github.com/anderseknert/opa-sign-verify","last_synced_at":"2025-09-07T21:08:20.345Z","repository":{"id":109367184,"uuid":"572139478","full_name":"anderseknert/opa-sign-verify","owner":"anderseknert","description":"Demo of OPA bundle signature creation and verification","archived":false,"fork":false,"pushed_at":"2023-03-20T13:41:05.000Z","size":5,"stargazers_count":4,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-07-06T22:14:21.463Z","etag":null,"topics":["bundle-signing","bundle-verification","bundles","opa","open-policy-agent","security"],"latest_commit_sha":null,"homepage":"","language":"Open Policy Agent","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/anderseknert.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-11-29T16:28:35.000Z","updated_at":"2023-04-14T18:35:19.000Z","dependencies_parsed_at":"2023-05-22T04:00:37.923Z","dependency_job_id":null,"html_url":"https://github.com/anderseknert/opa-sign-verify","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/anderseknert/opa-sign-verify","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anderseknert%2Fopa-sign-verify","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anderseknert%2Fopa-sign-verify/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anderseknert%2Fopa-sign-verify/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anderseknert%2Fopa-sign-verify/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/anderseknert","download_url":"https://codeload.github.com/anderseknert/opa-sign-verify/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anderseknert%2Fopa-sign-verify/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264862377,"owners_count":23674954,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bundle-signing","bundle-verification","bundles","opa","open-policy-agent","security"],"created_at":"2024-10-13T15:56:59.020Z","updated_at":"2025-07-11T17:33:42.383Z","avatar_url":"https://github.com/anderseknert.png","language":"Open Policy Agent","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OPA Bundle Signing\n\nSimple demonstration of [bundle](https://www.openpolicyagent.org/docs/latest/management-bundles/)\nsigning and verification for [Open Policy Agent](https://www.openpolicyagent.org/) (OPA).\n\n## Create RSA key pair\n\nFirst of all, we'll need a key pair (a private key for signing and a public key for verification):\n\n```shell\nopenssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048\nopenssl rsa -pubout -in private_key.pem -out public_key.pem\n```\n\n## Create .signatures.json\n\nGiven that we have a policy directory we'll want to create bundle from, we can now create a\n`.signatures.json` file, which we'll later use for bundle verification:\n\n```shell\nopa sign --signing-key private_key.pem --bundle policy/\n```\nOnce created, move the `.signatures.json` file into the bundle directory:\n```shell\nmv .signatures.json policy/\n```\n\n## Build bundle\n\nWe're now ready to build the bundle, providing both the signing key and the verification key:\n\n```shell\nopa build --bundle --signing-key private_key.pem  --verification-key public_key.pem policy/\n```\n\n## Upload bundle to bundle server\n\nNext, move bundle to bundle server. For the purpose of the example, we'll use an nginx\nserver running locally. The below command is on Mac OS with nginx installed via brew —\nthe location of the nginx \"www\" directory may obviously vary.\n\n```shell\nmv bundle.tar.gz /opt/homebrew/var/www\n```\n\n## Run OPA with bundle verification config\n\n**opa-conf.yaml**\n```yaml\nservices:\n  nginx:\n    url: http://localhost:8080\n\nbundles:\n  policy:\n    service: nginx\n    resource: bundle.tar.gz\n    signing:\n      keyid: verifier\n\nkeys:\n  verifier:\n    key: changeme\n```\n\nWe now have a signed bundle served from our bundle server, so let's start the OPA server\nwith a config file pointing out its location. Note especially the use of `--set-file` to\npoint out the location of our public key. This is preferable over keeping keys embedded in\nthe configuration:\n\n```shell\nopa run --server \\\n        --config-file=opa-conf.yaml \\\n        --set-file=\"keys.verifier.key=public_key.pem\"\n```\n\nMake sure you see \"Bundle loaded and activated successfully.\" in the logs.\n\n**Done!**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanderseknert%2Fopa-sign-verify","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanderseknert%2Fopa-sign-verify","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanderseknert%2Fopa-sign-verify/lists"}