Hi,
Sorry for the delay to send this.
I prepared a simple packaged named dsigning-box that should be installed
in the same machine that have access to the tokens:
https://github.com/helen-fornazier/dsigning-box
For now it only contain a script to sign efi and kernel modules from a
tarball, it is almost the same script in the previous patch
(byhand-code-sign-user), I just changed where it gets the tarball and
where it places the signatures (which can be changed by a configuration
file).
As before, I tested with and without a yubikey using this script:
https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh
Please review.
I also made dak patches to integrate with dsigning-box in a remote
machine: https://github.com/helen-fornazier/dak/commits/review
This patches add a script called byhand-code-sign which will send
(rsync) the tarball with the images to be signed to the machine that has
dsigning-box installed. This script execute a command by ssh in
dsigning-box to sign the images. As we don't have a dedicated machine
yet to install dsigning-box the signatures will be copied to another
machine (coccia.debian.org?) that can be changed in the configuration
file (this is temporary as the signatures should stay in the signing box).
Please review all this and let me know if I should alter anything.
Let me know if you prefer that I send email patches to be easier to review.
Helen