Generating a keypair on a Nitrokey HSM fails

On the Nitrokey HSM that I have, keytool cannot generate private keys via PKCS#11.

I have posted about this on the Nitrokey forum. The underlying cause -- as I understand it so far -- is that keytool doesn't actually generate a key pair on the HSM; it instead generates it in software and tries to import it (which the Nitrokey HSM denies).

Steps to reproduce

• fdroid init
• Edit the config.yml to set the repo_keyalias, keystore: NONE, keystorepass and the other relevant options
• fdroid update --create-key

System info

• Debian 13 (Trixie)
• Java 21 (from apt)
• fdroidserver 2.4.2 (from stable apt, NO backport)

Log

The TLDR of the human-facing error message is:

keytool error: java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_NOT_SUPPORTED

The full log, including the opensc debug trace, is very similar to the one I posted in to Nitrokey forum.

Context

I am somewhat surprised, because fdroid update --create-key seems to work with a Nitrokey HSM for @Bubu in https://f-droid.org/en/2020/10/05/ntrokey-signing.html ? Idk what has changed since.

Workaround

The same workaround that I describe in the Nitrokey forum for generating a key a single APK should also work for generating a key for the repo index:

1. Generate an RSA key pair with pkcs11-tool
2. Generate a self-signed certificate with certtool
3. Load the cert onto the Nitrokey with pkcs11-tool

Doing this got be one step closer to signing the repo index. However, then I ran into another bug (see #1313).