{"id":19099530,"url":"https://github.com/dentrax/cocert","last_synced_at":"2025-08-21T03:32:35.131Z","repository":{"id":103620989,"uuid":"365838585","full_name":"Dentrax/cocert","owner":"Dentrax","description":"Split and distribute your private keys securely amongst untrusted network","archived":false,"fork":false,"pushed_at":"2022-01-28T23:11:58.000Z","size":8045,"stargazers_count":203,"open_issues_count":1,"forks_count":13,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-04-08T03:31:18.260Z","etag":null,"topics":["public-private-key","secret-management","shamir","shamir-secret-sharing","split","supply-chain-attacks","tuf"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Dentrax.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2021-05-09T20:08:01.000Z","updated_at":"2025-01-24T00:03:19.000Z","dependencies_parsed_at":null,"dependency_job_id":"590ca154-21e0-4cba-af12-9fcacce5dde1","html_url":"https://github.com/Dentrax/cocert","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/Dentrax/cocert","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dentrax%2Fcocert","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dentrax%2Fcocert/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dentrax%2Fcocert/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dentrax%2Fcocert/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Dentrax","download_url":"https://codeload.github.com/Dentrax/cocert/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dentrax%2Fcocert/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271420516,"owners_count":24756580,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-21T02:00:08.990Z","response_time":74,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["public-private-key","secret-management","shamir","shamir-secret-sharing","split","supply-chain-attacks","tuf"],"created_at":"2024-11-09T03:51:11.105Z","updated_at":"2025-08-21T03:32:34.329Z","avatar_url":"https://github.com/Dentrax.png","language":"Go","readme":"\u003cp align=\"center\"\u003e\u003ca href=\"https://github.com/Dentrax/cocert\" target=\"_blank\"\u003e\u003cimg height=\"128\" src=\"https://raw.githubusercontent.com/Dentrax/cocert/main/.res/logo.png\"\u003e\u003c/a\u003e\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003ecocert\u003c/h1\u003e\n\n\u003cdiv align=\"center\"\u003e\n \u003cstrong\u003e\n   An experimental tool for splitting and distributing your private keys safely*\n \u003c/strong\u003e\n\u003c/div\u003e\n\n\u003cbr /\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://opensource.org/licenses/MIT\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-MIT-blue.svg?style=flat-square\" alt=\"MIT\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/Dentrax/cocert/releases/latest\"\u003e\u003cimg src=\"https://img.shields.io/github/release/Dentrax/cocert.svg?style=flat-square\" alt=\"GitHub release\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://goreportcard.com/report/github.com/Dentrax/cocert\"\u003e\u003cimg src=\"https://goreportcard.com/badge/github.com/Dentrax/cocert?style=flat-square\" alt=\"Go Report\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/Dentrax/cocert/actions?workflow=test\"\u003e\u003cimg src=\"https://img.shields.io/github/workflow/status/Dentrax/cocert/Test?label=build\u0026logo=github\u0026style=flat-square\" alt=\"Build Status\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cbr /\u003e\n\n*cocert*, generates [ECDSA](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) - [P521](https://en.wikipedia.org/wiki/Elliptic-curve_cryptography) key and uses a technique known as [Shamir's Secret Sharing](https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing) algorithm to split the master key into _x_ shares, any _y_ of which are required to reconstruct the master private key. Private keys are stored in [PEM-encoded](https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail) [PKCS8](https://en.wikipedia.org/wiki/PKCS_8) format, which are [encrypted](https://pkg.go.dev/github.com/theupdateframework/go-tuf/encrypted) by [The Update Framework (TUF)](https://github.com/theupdateframework/go-tuf). Each private key is splitted using [Shamir](https://pkg.go.dev/github.com/hashicorp/vault/shamir) [Split](https://pkg.go.dev/github.com/hashicorp/vault/shamir#Split). To [Combine](https://pkg.go.dev/github.com/hashicorp/vault/shamir#Combine) private key files into single one, it is necessary to enter decrypt password if it has been encrypted by TUF.\n\n*cocert does not support any [Distributed Key Generation (DGK)](https://en.wikipedia.org/wiki/Distributed_key_generation) algorithm, yet.\n\n_This repository is [signed](https://github.com/Dentrax/cocert/blob/9d9f18743c9602289dfec3c98d49b68c549d40bf/.github/workflows/publish.yml#L56-L69) via [cosign](https://github.com/sigstore/cosign), by using `cocert` itself_\n\n![GIF](.res/usage.gif)\n\n[Asciinema](https://asciinema.org/a/411543)\n\n# High Level Architecture\n\n![Screenshot](.res/arch.png)\n\n# Use-Case Example\n\n* What happens if your private key is exposed by either public 3rd-party cloud service provider or internal security breach?\n  \nYour private key would have compromised and supply chain attacks would inevitable. What would happen if we not trust just one key, however, distribute our key to multiple secure environments? We would avoid supply chain attacks, that said, even if one of our private keys is compromised, we still need two more keys to combine and get the final private key.\n\n![Screenshot](.res/use-case.png)\n\n# Installation\n\n* Go\n```bash\n$ go install github.com/Dentrax/cocert@latest\n```\n\n* Docker\n```bash\n$ docker pull ghcr.io/dentrax/cocert\n```\n\n# Verify\n\n## Prerequities\n1. [cosign](https://github.com/sigstore/cosign)\n2. [crane](https://github.com/google/go-containerregistry/tree/main/cmd/crane)\n\n## Check\n\n```bash\n# 1. Download the public key\n$ curl https://raw.githubusercontent.com/Dentrax/cocert/main/.github/workflows/certs/cocert.pub -o cocert.pub\n\n# 2. Verify\n$ cosign verify -key cocert.pub ghcr.io/dentrax/cocert | jq\n\n# 3. Make sure verified commit matches the digest of the latest image \n$ crane digest ghcr.io/dentrax/cocert\n```\n\n# Usage\n\n```bash\nUsage:\n  cocert [command]\n\nAvailable Commands:\n  combine     Combine the cert integrity on the supplied PEM files\n  decrypt     Decrypt the target private keys using TUF\n  encrypt     Encrypt the target private keys using TUF\n  generate    Generates TUF encrypted keys using ECDSA and splits into PKCS8-PKIX key-pairs\n  help        Help about any command\n  sign        Sign the given payload and create a certificate from Fulcio\n  split       Split your existing private key into parts\n  verify      Verify the given payload on the supplied signature\n\nFlags:\n  -h, --help   help for cocert\n```\n\n## Use-Case Demonstration\n\n1. Generate\n```bash\n$ cocert generate --parts 3 --threshold 2\n\nGenerating TUF encrypted Shamir PEMs...\nCreate new password for private key:  (master)\nConfirm password: (master)\nExtracting PEMs to files...\nDo you want to encrypt each key using TUF? (y/n) [n]: y\nCreate new password for cocert0.key key: (foo)\nCreate new password for cocert1.key key: (bar)\nCreate new password for cocert2.key key: (baz)\n```\n\n2.1. Sign with Private Key\n```bash\n$ cocert sign -f cocert0.key -f cocert1.key -p \"Foo Bar Baz\"\n\n(Press Enter to continue without decrypt...)\nEnter your password for cocert0.key: (foo)\nEnter your password for cocert1.key: (bar)\nEnter your master key: (master)\nSigned: MIGIAkIBCisWXRLBRcv/...+3pccRjm+nUNA==\n```\n\n2.2. Sign with [Fulcio](https://github.com/sigstore/fulcio) (Keyless)\n```bash\n$ cocert sign -f cocert0.key -f cocert1.key  -p \"Foo Bar Baz\" -o my.cert\n\n(Press Enter to continue without decrypt...)\nEnter your password for cocert0.key: (foo)\nEnter your password for cocert1.key: (bar)\nEnter your master key: (master)\nYour browser will now be opened to:\nhttps://oauth2.sigstore.dev/auth/auth?access_type=online\u0026client_id=sigstore\u0026code_challenge=CODE\u0026code_challenge_method=S256\u0026nonce=NONCE\u0026redirect_uri=http%3A%2F%2Flocalhost%3A5556%2Fauth%2Fcallback\u0026response_type=code\u0026scope=openid+email\u0026state=STATE\nSigned: MIGIAkIBCisWXRLBRcv/...+3pccRjm+nUNA==\n```\n\n3.1. Verify with Public Key\n```bash\n$ cocert verify -f cocert.pub -p \"Foo Bar Baz\" -k \"MIGIAkIBCisWXRLBRcv/...+3pccRjm+nUNA==\"\n```\n\n3.2. Verify with Certificate\n```bash\n$ cocert verify -c my.cert -p \"Foo Bar Baz\" -k \"MIGIAkIBCisWXRLBRcv/...+3pccRjm+nUNA==\"\n```\n\n**Bonus:** Splitting\n```bash\n# 1. Generate the your custom private key\n$ cosign generate-key-pair\n\nEnter password for private key: (qux)\nPrivate key written to cosign.key\nPublic key written to cosign.pub\n\n# 2. Split the key\n$ cocert split -f private.key --parts 3 --threshold 2\n\nCreate new password for cocert0.key key: (foo)\nCreate new password for cocert1.key key: (bar)\nCreate new password for cocert2.key key: (baz)\n\n# 3. Test with combine\n$ cocert combine -f cocert0.key -f cocert1.key -o cosign.key\n\nEnter your password for cocert0.key: (foo)\nEnter your password for cocert1.key: (bar)\nDecrypting TUF encrypted PEMs...\nEnter your master key: (qux)\nCombined\n```\n\n## Encrypt \u0026 Decrypt Keys\n\n* Encrypt\n```bash\n$ cocert encrypt -f cocert0.key -o \"cocert0.key.encrypted\"\n\nEnter your password for : (foo2)\nConfirm password: (foo2)\n```\n\n* Decrypt\n```bash\n$ cocert decrypt -f cocert0.key.encrypted -o \"cocert0.key.decrypted\"\n# [[ $(md5 -q cocert0.key) -eq $(md5 -q cocert0.key.decrypted) ]]\n\nEnter your password for : (foo2)\n\n$ cocert decrypt -f cocert0.key.decrypted -o \"cocert0.key.unencrypted\"\n# You can pass empty password for 'cocert0.key.unencrypted' key\n\nEnter your password for : (foo)\n```\n\n* Combine\n\n```bash\n$ cocert combine -f cocert0.key.unencrypted -f cocert1.key \n\nLoading PEMs from files...\n(Press Enter to continue without decrypt...)\nEnter your password for cocert0.key.unencrypted: (PASS)\nEnter your password for cocert1.key: (bar)\nDecrypting TUF encrypted PEMs...\nEnter your master key: (master)\nCombined\n```\n\n# Special Thanks\n\n| Package                                                       | Author                                                  | License                                                                                      |\n| :------------------------------------------------------------ | :------------------------------------------------------ | :------------------------------------------------------------------------------------------- |\n| [cosign](https://github.com/sigstore/cosign) | [sigstore](https://github.com/sigstore) | [Apache License 2.0](https://github.com/sigstore/cosign/blob/main/LICENSE) |\n| [go-tuf](https://github.com/theupdateframework/go-tuf) | [The Update Framework](https://github.com/theupdateframework) | [BSD](https://github.com/theupdateframework/go-tuf/blob/master/LICENSE) |\n| [Vault](https://github.com/hashicorp/vault) | [HashiCorp](https://github.com/hashicorp) | [Mozilla Public License 2.0](https://github.com/hashicorp/vault/blob/master/LICENSE) |\n| [prompter](https://github.com/Songmu/prompter) | [Songmu](https://github.com/Songmu) | [MIT](https://github.com/Songmu/prompter/blob/main/LICENSE) |\n\n- Thanks to everyone who contributed these libraries and [others](https://github.com/Dentrax/cocert/blob/main/go.mod) that made this project possible.\n\n# License\n\n*cocert* was created by [Furkan 'Dentrax' Türkal](https://twitter.com/furkanturkaI)\n\nThe base project code is licensed under [MIT](https://opensource.org/licenses/MIT) unless otherwise specified. Please see the **[LICENSE](https://github.com/Dentrax/cocert/blob/main/LICENSE)** file for more information.\n\n\u003ckbd\u003eBest Regards\u003c/kbd\u003e","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdentrax%2Fcocert","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdentrax%2Fcocert","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdentrax%2Fcocert/lists"}