JetBrains / marketplace-zip-signer

Marketplace ZIP Signer tool handles signing and verification of the JetBrains plugins.
Apache License 2.0
17 stars 14 forks source link

Is YubiKey supported? #226

Open AlexanderBartash opened 3 months ago

AlexanderBartash commented 3 months ago

I could not find any documentation on the topic.

YubiKey allows secure storage of certificates, which can be used e.g. for signing Git commits https://developers.yubico.com/PGP/Git_signing.html or SSH auth https://developers.yubico.com/PGP/SSH_authentication/

It seems to me, it should be applicable here too.

Thank you.

AlexanderBartash commented 3 months ago

Btw, the doc https://plugins.jetbrains.com/docs/intellij/plugin-signing.html says

A plugin author generates a key pair and ~uploads the public part to JetBrains Marketplace~ (this feature is not yet available).

It is kind of supported. In JB user profile, there is an ability to upload a public part of an SSH key, which can be also stored on YubiKey (with private key). You just need another field like that, but for signature verification, because different keys might be used for signing & auth, see https://stackoverflow.com/questions/73673920/do-i-need-authentication-as-well-as-signing-keys-on-github#:~:text=The%20difference%20between%20signing%20keys,may%20be%20added%20for%20both. image