WIP: Allow using wrapped keys with a HSM (!783) · Merge requests · F-Droid / fdroidserver

The source project of this merge request has been removed.

Marcus requested to merge (removed):wrapped_keys into master Aug 15, 2020

Based on !782 (merged). Feedback welcome.

Wrapped keys are encrypted by a key only residing inside the HSM, this allows us to use many more keys than the HSM has key storage space as the wrapped keys can be stored on plain storage.

This is an optional enhancement for fdroid publish and can be enabled by defining 'wrappedkeysdir', 'wrapcommand' and 'unwrapcommand' in config.py.

The wrap and unwrap commands will be strictly dependent on the HSM used as this isn't covered by the PKCS11 standard. The config.py examples added here were tested with a Nitrokey HSM2.

The publish process in this mode gets extended as follows:

Upload "encrypted APK signing key #N" to the HSM
Sign the APK using "encrypted APK signing key #N"
Delete "encrypted APK signing key #N" from the HSM

For newly generated signing keys steps 2. and 3. are carried out as well. Keys that are currently already stored in the HSM are using for signing and then wrapped and deleted from the HSM.

Additionally store the signing key fingerprints next to a wrapped key

This is needed for the publishsigkeys.jar generation which is later used by update.py.

Edited Sep 14, 2020 by Hans-Christoph Steiner

WIP: Allow using wrapped keys with a HSM

Merge request reports