Skip to content

Add PKCS#11 release signing#366

Draft
cyclic-pentane wants to merge 23 commits intomasterfrom
pkcs11-signing
Draft

Add PKCS#11 release signing#366
cyclic-pentane wants to merge 23 commits intomasterfrom
pkcs11-signing

Conversation

@cyclic-pentane
Copy link
Collaborator

@cyclic-pentane cyclic-pentane commented Feb 27, 2026
edited
Loading

Useful for signing your builds with keys that reside on hardware tokens, e.g. YubiKeys. Still a work-in-progress.

TODO:

  • don't overwrite existing keys on YubiKey in scripts
  • don't check for on-disk private keys in verifyKeysScript, but for the keys being there on the token with openssl
  • script for importing pre-existing keys into a YubiKey
  • don't hardcode key algorithms in YubiKey PIV key generation script
  • OTA payload signing
  • write option docs
  • PKMD derivation from X.509 certs
  • set custom sign_target_files_apk options
  • pass PIV PIN file to signapk.jar
  • test everything (initial flash AND ota upgrade)
  • add NEWS entry
  • docs

@cyclic-pentane cyclic-pentane force-pushed the pkcs11-signing branch 8 times, most recently from 37dc455 to 2dd33ed Compare March 4, 2026 19:40
@cyclic-pentane
signing: add sign_target_files_apk PKCS#11 patches
dac77b2
@cyclic-pentane
signing: first draft of PKCS#11 module
ce497e1
@cyclic-pentane
pkcs11: add option description
117a2ca
@cyclic-pentane
pkcs11: derive AVB PKMD in YubiKey key generation script
14b2dce
@cyclic-pentane
pkcs11: apply --payload_signer arg
bf6514f
@cyclic-pentane
pkcs11: apply patched-in sign_target_files_apks CLI args
afdc088
@cyclic-pentane
signing: check APK key size too
a4c640a
@cyclic-pentane
pkcs11: don't hardcode key algorithms
355a9da
@cyclic-pentane
signing: generate AVB X509 certificate too
b80bffa
@cyclic-pentane
pkcs11: add YubiKey key import script
13bbd35
@cyclic-pentane
pkcs11: don't overwrite existing YK PIV keys (not working yet)
014e537 
ykman seems to have some undeclared dependency that makes it break when
you clear PATH. Gonna debug this soon
@cyclic-pentane
signing: verify certificates (in lieu of private keys) in verifyKeysS…
2e6a148 
…cript
@cyclic-pentane
bump nixpkgs
f90cfee 
We need this for PKCS#11 signing, since the version bump of libp11 that
added the openssl PKCS#11 provicer only landed recently.

Also, pin nixfmt to the old nixpkgs one so we don't have to reformat
everything for the CI to be ready yet.
@cyclic-pentane
release: make signing script output prettier
da2df22 
This makes it a lot easier to read for debugging purposes.
@cyclic-pentane
pkcs11: move yubikey helper scripts into separate file
f8896a7
@cyclic-pentane
docs: fix mdbook config
ccffac7
@cyclic-pentane
remove lib.literalExample
d26e395
@cyclic-pentane
fix SunPKCS11 config
b041e39 
Looks like I have a slippery `p` key.
@cyclic-pentane
pkcs11: fix typo in signapk invocation
fe0aa91
@cyclic-pentane
pkcs11: fix key alias mapping functions
a90f6e3
@cyclic-pentane
signing: rework public_key_mapping patch
0b517bf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cyclic-pentane