Categorygithub.com/mendersoftware/mender-artifactartifactkeyfactor
package
0.0.0-20250305153802-6650c2ba378b
Repository: https://github.com/mendersoftware/mender-artifact.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
12
Dependents
1
Files
218 SLOC

# README

SignServer

Keyfactor SignServer Signer for Mender Artifact

The Keyfactor SignServer Signer for Mender Artifact is a custom signer for the Mender OTA update manager. It uses Keyfactor SignServer to sign Mender Artifacts.

Signing and Verification requests are forwarded to SignServer via the SignServer REST API, available in SignServer v6 and later.

Keyfactor SignServer enables organizations to automate the signing of Mender artifacts with a secure, auditable, and compliant process. PKI resources are stored in a secure, centralized location, and signing operations are performed by a dedicated signing service. This ensures that signing keys are never exposed to the Mender server. Additionally, SignServer enables compliance with internal IT policy by enforcing access policies.

Keyfactor SignServer Signer for Mender Artifact

Requirements

SignServer Configuration

The SignServer Signer for Mender Artifact requires a SignServer PlainSigner worker. The worker must be configured with the following properties:

PropertyValue
ACCEPTED_HASH_DIGEST_ALGORITHMSSHA-256, SHA-384, SHA-512
AUTHTYPENOAUTH
CRYPTOTOKENCryptoTokenP12
DEFAULTKEYsigner00003
DISABLEKEYUSAGECOUNTERtrue
DO_LOGREQUEST_DIGEST
IMPLEMENTATION_CLASSorg.signserver.module.cmssigner.PlainSigner
LOGREQUEST_DIGESTALGORITHM
NAMEMenderPlainSigner
SIGNATUREALGORITHMNONEwithRSA
TYPEPROCESSABLE
CLIENTSIDEHASHINGtrue

Usage

Authentication with the SignServer REST API is performed using a client certificate. The client certificate must be a PEM encoded X509v3 certificate with an unencrypted private key in PKCS#8 format. The certificate and private key can be stored in the same file or in separate files. The certificate and private key must be stored in a directory accessible to the context in which the signer is invoked. The following environment variables can be used to configure the signer:

Environment VariableDescriptionRequired
SIGNSERVER_HOSTNAMEThe host name of the SignServer instance to use for signing.
SIGNSERVER_CLIENT_CERT_PATHThe path to the client certificate used to authenticate with the SignServer REST API.
SIGNSERVER_CLIENT_CERT_KEY_PATHThe path to the private key for the client certificate. The signer will recognize if the private key is in the same file as the client certificate.
SIGNSERVER_CA_CERT_PATHThe path to the root CA certificate (and any intermediates) used to verify the SignServer server certificate, if it wasn't signed by a trusted CA.

To use the SignServer Signer for Mender Artifact, invoke the Mender Artifact CLI with the --keyfactor-signserver-worker option:

mender-artifact sign <artifact-path> --keyfactor-signserver-worker <keyfactor-signserver-worker>

# Functions

No description provided by the author

# Structs

No description provided by the author