Hacker News new | ask | show | jobs
by convolvatron 58 days ago
apologies for asking this question here instead of actually doing the research, but it always seemed to be that while putting keys in a secure environment would help against leakage of the private bits, there really isn't a great story around making sure than only authorized requests can be signed. is this a stupid concern?
2 comments
justincormack 58 days ago
Yubikey can require touch, and Secretive for Apple Secure enclave can require touch with fingerprint id. Some people disable these, it depends exactly on your use case.
link
akdev1l 58 days ago
You don’t need Secretive, there is actually Apple native way

I put my ssh keys into the Mac’s TPM and now it asks for a password/touch ID when I use it.

Unfortunately I forget what commands I used

link
convolvatron 58 days ago
yes, but what's to stop a malicious actor from intercepting a signature request and replacing its own contents in place of the legitimate one. yes you would find out when your push was rejected, but that would be a bit late.
link
guipsp 58 days ago
It is not a stupid concern, butt there is architecture around making sure you can't just save a request for later and replay it
link