Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Support to Yubikey (HSM) #351

Open
1 task done
kairoaraujo opened this issue Aug 19, 2023 · 4 comments
Open
1 task done

Feature: Support to Yubikey (HSM) #351

kairoaraujo opened this issue Aug 19, 2023 · 4 comments
Assignees
@kairoaraujo @KAUTH
Milestone
v1.0.0

Comments

@kairoaraujo
Copy link
Member

What is the task about?

The CLI could implement a nice interface/UX to get the public key information (key info) and also use the Key for Root Keys on Ceremony (admin ceremony) and Metadata Update/Signing (metadata <metadata|sign>)

It would be interesting if the RSTUF CLI could use the Yubikey (HSM) for Ceremony and Metadata Update/Signing process.

We could take advantage of the implemented HSM Signer support from Secure Systems Lib.

Parent feature

No response

References

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@MVrachev
Copy link
Member

MVrachev commented Nov 3, 2023

Maybe https://github.com/theupdateframework/tuf-on-ci can be a good reference for this issue?

@lukpueh
Copy link
Collaborator

lukpueh commented Nov 3, 2023
edited
Loading

I recommend to generally use tuf-on-ci as inspiration for Signer integration. Jussi definitely knows how to use the Signer API as it is intended. A high-level comment about the Signer API in RSTUF:

  • Only the CLI (dialog) should need to know about different signers
  • At least in theory, the worker should be able to just use any signer with:
Signer.from_priv_key_uri(uri, public_key, secrets_handler)

where the URI could be passed, via service config, the public_key is taken from the trusted root, and the secrets_handler is implemented in a generic way in the worker, making secrets available that are also passed via service config.

I plan to look at how RSTUF uses the Signer API next week and make some more concrete suggestions.

@kairoaraujo
Copy link
Member Author

@KAUTH FYI
repository-service-tuf/repository-service-tuf-worker#419

@lukpueh lukpueh mentioned this issue Feb 7, 2024
Open
1 task
@MVrachev MVrachev added this to the v1.0.0 milestone Mar 13, 2024
@MVrachev
Copy link
Member

MVrachev commented Apr 5, 2024

Have a look at admin2 commands for this issue.

@kairoaraujo kairoaraujo self-assigned this Aug 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kairoaraujo kairoaraujo

@KAUTH KAUTH

Labels
None yet
Projects
No open projects
[Sprint 10]: 03 November 2023 - 17 November 2023
Status: Todo
[Sprint 11]: 17 November 2023 - 01 December 2023
Status: In Progress
[Sprint 12]: 04 December 2023 - 12 January 2024
Status: Todo
[Sprint 17]: 05 April - 19 April 2024
Status: Todo
Milestone
v1.0.0
Development

No branches or pull requests
4 participants
@kairoaraujo @lukpueh @KAUTH @MVrachev