Simple demonstration of bundle signing and verification for Open Policy Agent (OPA).

First of all, we'll need a key pair (a private key for signing and a public key for verification):

openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -pubout -in private_key.pem -out public_key.pem

Given that we have a policy directory we'll want to create bundle from, we can now create a .signatures.json file, which we'll later use for bundle verification:

opa sign --signing-key private_key.pem --bundle policy/

Once created, move the .signatures.json file into the bundle directory:

mv .signatures.json policy/

We're now ready to build the bundle, providing both the signing key and the verification key:

opa build --bundle --signing-key private_key.pem  --verification-key public_key.pem policy/

Next, move bundle to bundle server. For the purpose of the example, we'll use an nginx server running locally. The below command is on Mac OS with nginx installed via brew — the location of the nginx "www" directory may obviously vary.

mv bundle.tar.gz /opt/homebrew/var/www

opa-conf.yaml

services:
  nginx:
    url: http://localhost:8080

bundles:
  policy:
    service: nginx
    resource: bundle.tar.gz
    signing:
      keyid: verifier

keys:
  verifier:
    key: changeme

We now have a signed bundle served from our bundle server, so let's start the OPA server with a config file pointing out its location. Note especially the use of --set-file to point out the location of our public key. This is preferable over keeping keys embedded in the configuration:

opa run --server \
        --config-file=opa-conf.yaml \
        --set-file="keys.verifier.key=public_key.pem"

Make sure you see "Bundle loaded and activated successfully." in the logs.

Done!