WIP: Allow using wrapped keys with a HSM

Marcus requested to merge (removed):wrapped_keys into master

Based on !782 (merged). Feedback welcome.

Wrapped keys are encrypted by a key only residing inside the HSM, this allows us to use many more keys than the HSM has key storage space as the wrapped keys can be stored on plain storage.

This is an optional enhancement for fdroid publish and can be enabled by defining 'wrappedkeysdir', 'wrapcommand' and 'unwrapcommand' in config.py.

The wrap and unwrap commands will be strictly dependent on the HSM used as this isn't covered by the PKCS11 standard. The config.py examples added here were tested with a Nitrokey HSM2.

The publish process in this mode gets extended as follows:

  1. Upload "encrypted APK signing key #N" to the HSM
  2. Sign the APK using "encrypted APK signing key #N"
  3. Delete "encrypted APK signing key #N" from the HSM

For newly generated signing keys steps 2. and 3. are carried out as well. Keys that are currently already stored in the HSM are using for signing and then wrapped and deleted from the HSM.

Additionally store the signing key fingerprints next to a wrapped key

This is needed for the publishsigkeys.jar generation which is later used by update.py.

Edited by Hans-Christoph Steiner

Merge request reports