[Feature Request] Sign binaries with OpenBSD's signify #6
Comments
|
@borosai the signify availability on Linux is an advantage. However, in our signing process, we are using the HSMs (Hardware Security Modules), which store the private keys used for firmware signing. Given that we are not exposing the private key outside the HSM. Is it possible to use signify with HSMs (i.e. does it support pkcs11)? |
|
@miczyg1 It isn't directly supported, so it would require a manual or scripted solution (if possible). I imagine that's not ideal from your end, but I would gladly help. Out of curiosity, do you generate and store the private key in the HSM, or do you just store the key in the HSM after generating it elsewhere? I'm not familiar with HSM/pkcs11, so I'd like to understand your process a little more (whatever you can share), and perhaps an "easy" solution can be put together. Only if you're interested in continuing, of course. |
|
@miczyg1 Thank you. I read that last night, along with some of the YubiKey documentation. I was also provided an example (link below) of what's currently required to use yubihsm-shell to store/sign with a signify key in a YubiKey. After looking at the available information, it doesn't seem that there's a practical solution at the moment. I'll continue to look into it, and perhaps purchase a YubiKey for testing, so this issue could be revisited later on if a better solution is found. |
To start, I think an introduction to signify would be useful:
https://flak.tedunangst.com/post/signify
https://man.openbsd.org/signify
signify is an OpenBSD utility used to create and verify cryptographic signatures. It is also available as a package in various Linux distributions, and it's easy to install/build on other platforms as well.
I have already completed the process of verifying signatures with GnuPG, and it works perfectly fine. However, since I plan to run OpenBSD on the PC Engines apu2, being able to verify the signature with signify would be an appreciated enhancement. Although signify could be used in place of GnuPG, it is much smaller and simpler, and may not suit your needs in all cases, so signing binaries with both tools would probably work best. I tested it with the v4.11.0.3 release binaries on a Mac (key generation, signing, verifying) and it works as one would expect.
I'd be happy to assist with anything I can, of course. Just let me know.
The text was updated successfully, but these errors were encountered: