Support HSM signing #1912
Labels
backlog
Issues to address with priority for current development goals
enhancement
securesystemslib
Requires corresponding implementation in securesystemslib
Supersedes #569 and #864
Related to #1109 (out-of-band signing)
Groundwork available in secure-systems-lab/securesystemslib#229
Description of issue or feature request:
python-tuf (or rather
securesystemslib
) should provide an implementation to sign metadata with hardware security modules, like Yubikey, plus functions for public key export and signature verification.Current behavior:
The
sign
method in the new Metadata API takes aSigner
parameter which generates the actual signature. Currently,secureystemslib
has one standardSigner
implementation inSSlibSigner
, which encapsulatessecuresystemslib
-style private keys (rsa, ed25519, ecdsa) and generates aSignature
that can be verified with a python-tufKey
using itsverify_signature
method.Expected behavior:
HSMSigner
that can generate a signature on an HSM-> see
SSlibSigner
andGPGSigner
(WIP) for inspiration, and sslib#229 for groundworkKey
-> see
from_securesystemslib_key
for inspirationKey.verify_signature
so that it can verify the corresponding signatures-> with sslib#229 verification should work out of the box
The text was updated successfully, but these errors were encountered: