Chalk Signing Key Provider Service

Chalk can make use of the Crash Override Signing Key Provider Service to make it very easy to add attestation to all chalk operations.

Crash Override provides a Signing Key Backup Service which backs-up the encrypted private key password, allowing attestation usage without manually orchestrating to provide chalk with the password value. That has a few assumptions:

  • key-material is manually managed (the Backup service only manages the password to decrypt the key)
  • chalk binary needs to be shared as it embeds the key-material into the binary, otherwise each chalk setup will mint new key-pair

Managing key-material manually can improve security in some cases however it can also add friction for some users. To remove this burden and make attestation even easier, Crash Override also provides a Signing Key Provider Service, which fully manages the key-material and enables chalk to retrieve it on-demand when necessary.

Using the Chalk Signing Key Provider Service

Use of the Signing Key Provider Service is simple and chalk provides builtin command to help get things setup.

For chalk to be able to use the Signing Key Provider Service it needs to be configured with an API token. Running the following command will download a pre-configured chalk profile:

chalk load

The user will then be prompted to supply an API token:

info:  Attempting to load module from:

Configuring Component:
Configuring variable: auth_config.crashoverride.token -- CrashOverride API token
Get your API token at CrashOverride:

Default is:
Press [enter] to accept default, or enter a value:

The API token to provide to chalk can be found in the Crash Override console application by navigating to unchalked Repositories. It will have instructions how to setup chalk in repositories which will show the API token to be copy-pasted into the terminal.

Upon pressing enter chalk will validate the supplied token and confirm that the configuration process has completed. Chalk will then validate the configuration parameters as a whole and embed them into the chalk binary.

Now chalk has been configured with a valid API token, chalk can retrieve the key-material from the API:

chalk setup

You will then see a number of lines of output in the terminal similar to the below:

info:  Ensuring cosign is present to setup attestation.
info:  Retrieved attestion key from Signing Key Provider Service

This retrieves the key-pair and embeds it into the chalk binary. To test the retrieval of the private key decryption password you can insert chalk on any file:

echo '#!/bin/sh' >
chalk insert

Chalk will use the Signing Key Provider Service to retrieve the password to decrypt the private key embedded in the binary. When this is done successfully you will see terminal output similar to the below:

info:  Retrieved attestation key password from Signing Key Provider Service


What exact is saved by the Chalk Signing Key Provider Service

In order to be able to provide key-material it by necessity needs to store all of the key-material which includes:

  • public key
  • encrypted private key
  • password to decrypt the private key

All data on the back-end is stored as a secret value in AWS secrets manager.

What value does Chalk Signing Key Provider Service provide?

The service allows for an "easy" button to start levering attestation and its advantages in your org.

Do I have to use Chalk Signing Key Provider Service?

No. You can pick any other key provider chalk supports. Over time we plan on supporting more key providers to provide an easy route for any org to adopt attestation via chalk.

I have more questions that are not answered here, where should I go?

We'd love to hear from you, please reach out to us at