Thanks, applied as 33c4b37cab1ba5ae924e073d65ab0cbfa2b7c922. Michael
[sent from post-receive hook] On Sat, 20 Jun 2020 00:04:08 +0200, Bastian Krause <[email protected]> wrote: > Signed-off-by: Bastian Krause <[email protected]> > Reviewed-by: Roland Hieber <[email protected]> > Tested-by: Ladislav Michl <[email protected]> > Message-Id: <[email protected]> > Signed-off-by: Michael Olbrich <[email protected]> > > diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst > new file mode 100644 > index 000000000000..de0087f8b36a > --- /dev/null > +++ b/doc/dev_code_signing.rst > @@ -0,0 +1,36 @@ > +.. _code_signing: > + > +Code Signing > +------------ > + > +This is an overview over the ptxdist signing infrastructure. > +ptxdist uses PKCS#11 internally for providing access to keys and > certificates. > +Packages that wish to sign something should implement a PKCS#11 interface. > + > +As PKCS#11 URIs usually differ between different usecases (release vs. > +development) the URIs normally are not hardcoded in the package > configuration. > +Instead, ptxdist has the idea of "roles" which are string identifiers used to > +access a single private/public key pair and a certificate. > + > +ptxdist supports Hardware Security Modules (HSM). > +In case a HSM is not present or shall not be used SoftHSM is used internally > to > +transparently provide the same API internally. > + > +For each role a PKCS#11 URI must be known by ptxdist. > +In case of a HSM the keys and certificates are stored in the HSM, but ptxdist > +needs to know the PKCS#11 URI to access the keys. > +This is done in ptxdist rule files calling cs_set_uri <role> <uri>. > +For SoftHSM the URI is generated internally by ptxdist, but instead the > +keys/certificates for each role have have to be imported. > +This is done with the cs_import_* functions below. > + > +During each invocation of ptxdist exactly one key provider is active. > +The code signing provider can be chosen with the > PTXCONF_CODE_SIGNING_PROVIDER > +variable. > +A code signing provider is a package resposible for providing the role <-> > +PKCS#11 URI relationships in case a HSM is used or for providing the key > +material in case SoftHSM is used. > + > +A package which wants to sign something or which needs access to keys has to > +select CODE_SIGNING. > +This makes sure the keys are ready when the package is being built. > diff --git a/doc/dev_manual.rst b/doc/dev_manual.rst > index 47a77a9be62f..03a05a661a97 100644 > --- a/doc/dev_manual.rst > +++ b/doc/dev_manual.rst > @@ -14,3 +14,4 @@ This chapter shows all (or most) of the details of how > PTXdist works. > dev_add_bin_only_files > dev_create_new_pkg_templates > dev_layers_in_ptxdist > + dev_code_signing > diff --git a/scripts/lib/ptxd_lib_code_signing.sh > b/scripts/lib/ptxd_lib_code_signing.sh > index a7779f8212c6..65ce62dd0a32 100644 > --- a/scripts/lib/ptxd_lib_code_signing.sh > +++ b/scripts/lib/ptxd_lib_code_signing.sh > @@ -7,36 +7,8 @@ > # > > # > -# This is an overview over the ptxdist signing infrastructure. ptxdist > -# uses PKCS#11 internally for providing access to keys and certificates. > -# Packages that wish to sign something should implement a PKCS#11 interface. > -# > -# As PKCS#11 URIs usually differ between different usecases (release vs. > -# development) the URIs normally are not hardcoded in the package > -# configuration. Instead, ptxdist has the idea of "roles" which are string > -# identifiers used to access a single private/public key pair and a > -# certificate. > -# > -# ptxdist supports Hardware Security Modules (HSM). In case a HSM is not > -# present or shall not be used SoftHSM is used internally to transparently > -# provide the same API internally. > -# > -# For each role a PKCS#11 URI must be known by ptxdist. In case of a HSM > -# the keys and certificates are stored in the HSM, but ptxdist needs to know > -# the PKCS#11 URI to access the keys. This is done in ptxdist rule files > -# calling cs_set_uri <role> <uri>. For SoftHSM the URI is generated > internally > -# by ptxdist, but instead the keys/certificates for each role have have to > -# be imported. This is done with the cs_import_* functions below. > -# > -# During each invocation of ptxdist exactly one key provider is active. The > -# code signing provider can be chosen with the PTXCONF_CODE_SIGNING_PROVIDER > -# variable. A code signing provider is a package resposible for providing > -# the role <-> PKCS#11 URI relationships in case a HSM is used or for > providing > -# the key material in case SoftHSM is used. > -# > -# A package which wants to sign something or which needs access to keys has > -# to select CODE_SIGNING. This makes sure the keys are ready when the package > -# is being built. > +# See doc/dev_code_signing.rst for documentation about PTXdist's code signing > +# infrastructure. > # > > cs_check_env() { _______________________________________________ ptxdist mailing list [email protected] To unsubscribe, send a mail with subject "unsubscribe" to [email protected]
