[Rpm-maint] [rpm-software-management/rpm] rpmsign: enable signing files with PKCS11 tokens (PR #4125)

[Jeremy Cline]

jeremycline left a comment (rpm-software-management/rpm#4125)

> > For my use-case I'm fine having the keyid be provided in a config, but if someone really wants rpmsign to handle it I'd say require users to provide the PEM or DER encoded certificate that matches whatever key you're using and then using `imaevm_read_keyid` from that file.
> 
> Maybe I was not clear, going from a certificate to find the corresponding private key in a PKCS#11 token is not straightforward, and may fail within OpenSSL + pkcs11-provider due to various limitations on the kind of information passed internally through OpenSSL.
> 
> Ideally rpmsign identifies the private key directly, and not indirectly by virtue of an associated certificate. However if rpmsign can only deal with certificates as identifiers we'll try to find a way to deal with that.

Oh, maybe I wasn't clear. This PR lets you pass in the private key as a pkcs11 URI, e.g. "rpmsign --signfiles --fskpath "pkcs11:token=my_ima_token;id=%01;type=private ...". That's what you're suggesting is the ideal path, correct?

At the moment, no certificate is involved at all. You can provide anything you want as the keyid, and I was just saying if we _did_ want determine the keyid automatically (which I don't really want to deal with) we do it by making the user provide the path to a matching certificate as a parameter in addition to the pkcs11 URI.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/4125#issuecomment-3974402405
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/pull/4125/c3974402405 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20260227/8ce7539b/attachment.htm>