Hi Scott,
we would like to sign images using an HSM and those provide PKCS#11
(
https://www.ibm.com/security/cryptocards/pciecc/overview,
https://www.yubico.com/product/yubihsm-2,
https://www.nitrokey.com/#comparison)
and there does not seem to be any proper connection from that to the
OpenPGP world. The only thing I found might be
https://github.com/alonbl/gnupg-pkcs11-scd
and that looks also a bit limited and dated. I'm currently
especially interested in a way to use that IBM crypto card. A
relatively easy solution might be to just store the signature hash
in the signature file. To verify that it seem to be enough to
something like "openssl dgst -sha256 -verify public.pem -signature
manifest.sig manifest.json". My understanding so far is that this is
actually a PKCS#1 hash calculation. Anyhow if I could get podman
doing that openssl call instead of openpgp things would be working
for me.
regards,
Hendrik
On 11.05.2020 18:38, Scott McCarty
wrote:
Hendrik,
That's
all that's supported today. Do you have any other tools you
would be looking for?
Best Regards
Scott M
Hi,
is OpenPGP the only supported image signing open supported by
podman /
skopeo or are there other options? Using OpenGPG works quite
fine for me
so far but in the end we are trying to sign an image using an
IBM 4765
crypto card and so far have not figured out how this can play
together.
thanks,
Hendrk
_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io
--