Description
Hello and thanks for OctoKit.
We're using OctoKit's JS incarnation to drive a GitHub App for managing ephemeral runners and we'd like to have our GitHub App's private key not available in plain-text to the application. Although the key is stored under encryption at rest, when it's loaded into the App's backend code, it's at risk of being accidentally disclosed. Instead, we would much rather have the key loaded into our host machine's vTPM and used at a distance over PKCS#11 or similar.
It looks like auth-app uses universal-github-app-jwt, which ultimately uses the jsonwebtoken package for its JWT signing. The use of jsonwebtoken is similar to another request I filed with the Azure JS SDK team, as are potential process-spawning or socket-based connections, including the possible use of the OpenSSH agent protocol for signing JWTs. (See the links in this follow-up comment in particular.)
In any case, being able to bind our keys to machines' TPMs would make me feel a lot better about our security posture!
Thanks for your time.