Skip to content

Add support for static (not extracted under wrap) PKCS#11 keys

Colin Watson requested to merge cjwatson/debusine:signing-pkcs11-static into devel

This is the simplest case of using an HSM: it doesn't cover generating keys in the HSM, just manually registering keys that have been generated separately. However, this is enough for parity with dak's code-signing tool. To use this, the signing machine will need to have the necessary PKCS#11 module installed (e.g. yubihsm-pkcs11) plus any supporting software needed to use the hardware device (e.g. yubihsm-connector).

I'd previously tried to lay out the pydantic model for Key.private_key in a way that would be compatible with future use of a discriminated union, but while writing this I discovered that I'd got it wrong. As a result, this commit includes a migration to change the layout of any existing keys in the signing database.

Merge request reports

Loading