Feature: Support to Yubikey (HSM)

[kairoaraujo]

What is the task about?

The CLI could implement a nice interface/UX to get the public key information (key info) and also use the Key for Root Keys on Ceremony (admin ceremony) and Metadata Update/Signing (metadata <metadata|sign>)

It would be interesting if the RSTUF CLI could use the Yubikey (HSM) for Ceremony and Metadata Update/Signing process.

We could take advantage of the implemented HSM Signer support from Secure Systems Lib.

Parent feature

No response

References

No response

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[MVrachev]

Maybe https://github.com/theupdateframework/tuf-on-ci can be a good reference for this issue?

[lukpueh]

I recommend to generally use tuf-on-ci as inspiration for Signer integration. Jussi definitely knows how to use the Signer API as it is intended. A high-level comment about the Signer API in RSTUF:

• Only the CLI (dialog) should need to know about different signers
• At least in theory, the worker should be able to just use any signer with:

  Signer.from_priv_key_uri(uri, public_key, secrets_handler)

  where the URI could be passed, via service config, the public_key is taken from the trusted root, and the secrets_handler is implemented in a generic way in the worker, making secrets available that are also passed via service config.

I plan to look at how RSTUF uses the Signer API next week and make some more concrete suggestions.

[kairoaraujo]

@KAUTH FYI https://github.com/repository-service-tuf/repository-service-tuf-worker/issues/419

[MVrachev]

Have a look at admin2 commands for this issue.