Ability to disable non default signature algorithm(s)

.github/workflows/delivery.yml

@@ -0,0 +1,85 @@
+name: Delivery
+
+on:
+  pull_request:
+    types: [synchronize, opened, reopened]
+  push:
+    branches: [master]
+  release:
+    # Note: a current limitation is that when a release is edited after publication, then the Docker tags are not automatically updated.
+    types: [published]
+  schedule:
+    # Run every monday on 9:00 in the morning (UTC).
+    - cron: "0 9 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  packages: write
+  security-events: write
+
+jobs:
+  publish-docker-image:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Check whether this event is the HEAD of main
+        continue-on-error: true
+        id: is-head-main
+        run: git rev-parse HEAD | grep -x ${{ github.sha }}
+        shell: bash
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=semver,pattern={{major}}.{{minor}}.{{patch}}
+            type=edge,enable=${{ steps.is-head-main.outcome == 'success' }}
+            type=ref,event=branch,enable=${{ github.event_name == 'workflow_dispatch' }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build container and export to local Docker
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          load: true
+          tags: local/atumd:scan
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Scan Image
+        uses: anchore/scan-action@v3
+        id: scan
+        with:
+          image: local/atumd:scan
+          only-fixed: true
+          fail-build: true
+          severity-cutoff: critical
+          output-format: sarif
+
+      - name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        if: ${{ !cancelled() }}
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+      - name: Push image to GitHub Container Registry
+        uses: docker/build-push-action@v5
+        if: ${{ ! contains(fromJSON('["schedule", "pull_request"]'), github.event_name) }}
+        with:
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

Dockerfile

@@ -0,0 +1,24 @@
+FROM golang:1-alpine AS build
+
+# Build binary
+COPY . /atumd
+WORKDIR /atumd
+RUN go build -a -ldflags '-extldflags "-static"' -o "/bin/atumd" .
+
+# Create application user
+RUN adduser -D -u 1000 -g atumd atumd
+
+# Start building the final image
+FROM scratch
+
+# Ensure the application user and group is set
+COPY --from=build /etc/passwd /etc/passwd
+COPY --from=build /etc/group /etc/group
+
+# Copy binary from build stage
+COPY --from=build --chown=atumd:atumd /bin/atumd /bin/atumd
+
+# Switch to application user
+USER atumd
+
+ENTRYPOINT ["atumd"]

README.md

@@ -1,24 +1,33 @@
 atumd
 =====
 
-Post-quantum trusted time-stamping service.
-See [go-atum](https://github.com/bwesterb/go-atum) for more information
-on the protocol.
+Post-quantum trusted time-stamping service. 
+See [go-atum](https://github.com/bwesterb/go-atum) for more information on the protocol.
 
 Setup
 -----
-To install `atumd`, run
-
-```
-go get github.com/bwesterb/atumd
-```
 
-Then create a `config.yaml`:
+Create a `config.yaml` file:
 
 ```yaml
 bindAddr: :8080
 canonicalUrl: http://localhost:8080
 ```
+For all configuration options, see [config.yaml.example](config.yaml.example)
+
+**Run using Docker**
+The easiest way to run `atumd` for development purposes is using Docker.
+
+````
+docker-compose up
+````
+
+**Run using GO**
+To install `atumd`, run
+
+```
+go install github.com/bwesterb/atumd
+```
 
 and run
 
@@ -29,12 +38,10 @@ atumd
 You probably want to configure a proper webserver like `nginx` to act
 as proxy and set a corresponding sane `canonicalUrl` with HTTPS.
 
-For more configuration options, see [config.yaml.example](config.yaml.example)
-
 Warnings concerning redundancy and backups
 ------------------------------------------
 
-`atumd` uses the **statefull** XMSS[MT] Siganture scheme.  Each signature
+`atumd` uses the **statefull** XMSS[MT] Signature scheme.  Each signature
 has a *sequence number* (seqno) and a sequence number
 [must not](https://eprint.iacr.org/2016/1042.pdf) be reused as it
 is likely to lead to signature forgery.

config.yaml.example

@@ -1,6 +1,6 @@
 # You probably want to configure these
 canonicalUrl: https://path.to/rproxy
-bindAddr: localhost:8080
+bindAddr: :8080
 
 # Maximum size of nonce to sign.  Best to keep above 64.
 maxNonceSize: 128
@@ -12,10 +12,16 @@ acceptableLag: 60
 # The default signature algorithm.  Either ed25519 or xmssmt.
 defaultSigAlg: xmssmt
 
+# Whether or not other signature algorithms besides defaultSigAlg 
+# are disabled. This is useful if you only want to support one algorithm.
+# NOTE: if true, you can still verify validity of timestamps generated with 
+# any other supported algorithm for the keys listed in otherTrustedPublicKeys
+disableOtherSigAlg: false
+
 # Path to store private keys.  Will be generated if not present.
 # WARNING: do not make backups or copies of xmssmt.key.  See the README.
-xmssmtKeyPath: xmssmt.key
-ed25519KeyPath: ed25519.key
+xmssmtKeyPath: /.secrets/xmssmt.key
+ed25519KeyPath: /.secrets/ed25519.key
 
 # XMSS(MT) instance to use.
 xmssmtAlg: XMSSMT-SHAKE_40/4_256

docker-compose.yml

@@ -0,0 +1,17 @@
+version: '3.1'
+
+services:
+
+  atumd:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    volumes:
+      - "./config.yaml:/config/config.yaml"
+      - "./.secrets:/.secrets"
+    ports:
+      - "8080:8080"
+    expose:
+      - 8080
+    command:
+      - "-config=/config/config.yaml"

go.mod

@@ -1,15 +1,38 @@
 module github.com/bwesterb/atumd
 
-go 1.14
+go 1.23.0
+
+toolchain go1.24.0
 
 require (
 	github.com/bwesterb/go-atum v1.1.5
 	github.com/bwesterb/go-pow v1.0.0
 	github.com/bwesterb/go-xmssmt v1.5.2
 	github.com/go-chi/cors v1.2.1
-	github.com/prometheus/client_golang v1.12.2
-	github.com/prometheus/common v0.35.0 // indirect
-	golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d
-	google.golang.org/protobuf v1.28.0 // indirect
+	github.com/prometheus/client_golang v1.21.0
+	golang.org/x/crypto v0.35.0
 	gopkg.in/yaml.v2 v2.4.0
 )
+
+require (
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/bwesterb/byteswriter v1.0.0 // indirect
+	github.com/cespare/xxhash v1.1.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/edsrzf/mmap-go v1.2.0 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/nightlyone/lockfile v1.0.0 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.62.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/templexxx/cpu v0.1.1 // indirect
+	github.com/templexxx/xorsimd v0.4.3 // indirect
+	github.com/timshannon/bolthold v0.0.0-20240314194003-30aac6950928 // indirect
+	go.etcd.io/bbolt v1.4.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	google.golang.org/protobuf v1.36.5 // indirect
+)