Open kairoaraujo opened 1 year ago
Maybe https://github.com/theupdateframework/tuf-on-ci can be a good reference for this issue?
I recommend to generally use tuf-on-ci as inspiration for Signer integration. Jussi definitely knows how to use the Signer API as it is intended. A high-level comment about the Signer API in RSTUF:
Signer.from_priv_key_uri(uri, public_key, secrets_handler)
where the URI could be passed, via service config, the public_key is taken from the trusted root, and the secrets_handler is implemented in a generic way in the worker, making secrets available that are also passed via service config.
I plan to look at how RSTUF uses the Signer API next week and make some more concrete suggestions.
Have a look at admin2 commands for this issue.
What is the task about?
The CLI could implement a nice interface/UX to get the public key information (
key info
) and also use the Key for Root Keys on Ceremony (admin ceremony
) and Metadata Update/Signing (metadata <metadata|sign>
)It would be interesting if the RSTUF CLI could use the Yubikey (HSM) for Ceremony and Metadata Update/Signing process.
We could take advantage of the implemented HSM Signer support from Secure Systems Lib.
Parent feature
No response
References
No response
Code of Conduct