Implementation:Ollama Ollama Auth Sign

Overview

Concrete tool for signing registry authentication challenges with Ed25519 keys provided by the auth package.

Description

auth.Sign reads the Ed25519 private key from ~/.ollama/id_ed25519, signs the provided challenge bytes, and returns the signature as a base64-encoded string for use in the Authorization header.

getAuthorizationToken handles the complete challenge-response flow: parses the WWW-Authenticate header, signs the challenge, exchanges it for a bearer token at the authorization realm, and returns the bearer token for subsequent requests.

Usage

Called internally by PullModel and PushModel when the registry returns a 401 authentication challenge.

Code Reference

Source Location

• Repository: ollama
• File: auth/auth.go (Sign), server/auth.go (getAuthorizationToken)
• Lines: auth.go:L53-85 (Sign), auth.go:L53-100 (getAuthorizationToken)

Signature

func Sign(ctx context.Context, bts []byte) (string, error)

func getAuthorizationToken(ctx context.Context, challenge registryChallenge, originalHost string) (string, error)

Import

import "github.com/ollama/ollama/auth"

I/O Contract

Inputs (Sign)

Outputs (Sign)

Usage Examples

Internal Usage

import "github.com/ollama/ollama/auth"

challenge := []byte("GET /v2/library/llama3/manifests/latest 2024-01-01T00:00:00Z")
signature, err := auth.Sign(ctx, challenge)
if err != nil {
    // handle missing key or signing error
}
// Use signature in Authorization header

Related Pages

Implements Principle

• Principle:Ollama_Ollama_Registry_Authentication

Requires Environment

• Environment:Ollama_Ollama_Go_Runtime