Add show-pubkey command

The show-pubkey command outputs the vendor signing pubkey, the app
tag, and app hash digest to stdout. The output is in the format used
for a line in the vendor-signing-pubkey.txt file, and used to embed
another vendor signing key.

The command takes takes an argument with the path to the devie app
using --app path/to/app.bin

cmd/tkey-verification/main.go

@@ -77,7 +77,7 @@ Known firmwares:
 		vendorPubKey.String(),
 		strings.Join(firmwares.List(), " \n  "))
 
-	var devPath, baseURL, baseDir, configFile string
+	var devPath, baseURL, baseDir, configFile, binPath string
 	var checkConfigOnly, verbose, showURLOnly, versionOnly, helpOnly bool
 
 	pflag.CommandLine.SetOutput(os.Stderr)
@@ -96,6 +96,8 @@ Known firmwares:
 		"Read verification data from a file located in `DIRECTORY` and named after the TKey UDI in hex, instead of from a URL. You can for example first use \"verify --show-url\" and download the verification file manually on some other computer, then transfer the file back and use \"verify --base-dir .\" (command: verify).")
 	pflag.StringVar(&baseURL, "base-url", defaultBaseURL,
 		"Set the base `URL` of verification server for fetching verification data (command: verify).")
+	pflag.StringVarP(&binPath, "app", "a", "",
+		"`PATH` to the device app to show vendor signing pubkey (command: show-pubkey).")
 	pflag.BoolVar(&versionOnly, "version", false, "Output version information.")
 	pflag.BoolVar(&helpOnly, "help", false, "Output this help.")
 	pflag.Usage = func() {
@@ -115,7 +117,13 @@ Commands:
 
                 The flags --show-url and --base-dir can be used to show the URL for
                 downloading the verification data on one machine, and verifying the
-                TKey on another machine that lacks network, see more below.`, progname)
+                TKey on another machine that lacks network, see more below.
+
+  show-pubkey	Prints the info needed for the vendor-signing-pubkeys.txt to stdout.
+		This includes public key, app tag, and app hash in the right format.
+
+		Use the flag --app to specify the path o the desired app to use, i.e.,
+		tkey-verification show-pubkey --app /path/to/app`, progname)
 
 		le.Printf("%s\n\nFlags:\n%s\n%s", desc, pflag.CommandLine.FlagUsagesWrapped(86), builtWith)
 	}
@@ -129,7 +137,6 @@ Commands:
 		fmt.Printf("%s %s\n\n%s", progname, version, builtWith)
 		os.Exit(0)
 	}
-
 	if pflag.NArg() != 1 {
 		if pflag.NArg() > 1 {
 			le.Printf("Unexpected argument: %s\n\n", strings.Join(pflag.Args()[1:], " "))
@@ -189,6 +196,13 @@ Commands:
 
 		verify(devPath, verbose, showURLOnly, baseDir, baseURL, appBins, vendorKeys, firmwares)
 
+	case "show-pubkey":
+		if binPath == "" {
+			le.Printf("Needs the path to an app, use `--app PATH`\n")
+			os.Exit(2)
+		}
+		showPubkey(binPath, devPath, verbose)
+
 	default:
 		le.Printf("%s is not a valid command.\n", cmd)
 		pflag.Usage()

cmd/tkey-verification/showpubkey.go

@@ -0,0 +1,46 @@
+package main
+
+import (
+	"crypto/sha512"
+	"encoding/hex"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/tillitis/tkey-verification/internal/tkey"
+)
+
+func showPubkey(binPath string, devPath string, verbose bool) {
+	tk, err := tkey.NewTKey(devPath, verbose)
+	if err != nil {
+		le.Printf("Couldn't connect to TKey: %v\n", err)
+		os.Exit(1)
+	}
+
+	exit := func(code int) {
+		tk.Close()
+		os.Exit(code)
+	}
+
+	content, err := os.ReadFile(binPath)
+	if err != nil {
+		le.Printf("ReadFile: %v", err)
+		exit(1)
+	}
+
+	appHash := sha512.Sum512(content)
+
+	pubKey, err := tk.LoadSigner(content)
+	if err != nil {
+		le.Printf("LoadSigner: %v\n", err)
+		exit(1)
+	}
+
+	tag := strings.TrimSuffix(filepath.Base(binPath), ".bin")
+
+	le.Printf("Public Key, app tag, and app hash for vendor-signing-pubkeys.txt follows on stdout:\n")
+	fmt.Printf("%s %s %s\n", hex.EncodeToString(pubKey), tag, hex.EncodeToString(appHash[:]))
+
+	exit(0)
+}