Mender Artifact signing key stored in smart card

I am trying to use the key pair stored in smart cards to sign the mender artifacts. However mender-artifacts tool doesn’t have any configuration file to read private keys from smart cards. Is there any way to use the private key which is stored in smart cards

The tool doesn’t provide it, but you may be able to do it manually with a bit of tinkering. We are using this Golang call for the actual signing, with a SHA256 hash of the manifest file inside the artifact. The artifact file is just a tar archive. The result is then base64 encoded and put in manifest.sig, right after manifest, so you can just repack the artifact as a tar file with all the files in the same order, with manifest.sig inserted right after manifest.

If you figure it out, please post the result, this may be useful for other people too!

Hi

I am using google cloud services for storing my private.key, when I signed a mender artifact the google service returns the manifest file and I want to include it in the artifact, is there a guide about how to repack an artifact with this file inside?, if I just add the manifest.sig into the artifact it returns an error when I try to validate it.

Thanks in advance for any help you can provide

I am not sure how you are adding the signature to the Artifact. But the format is specific in that it must be placed right after the manifest, as can be seen here: https://github.com/mendersoftware/mender-artifact/blob/master/Documentation/artifact-format-v3.md

Hi,

Did you able to sign the mender artifact with keys stored in google cloud successfully?

Thanks & Regards,
Vinoth

Hi @evk1206 I’m not quite sure what you are asking here but we did do a reference integration with GCP where we used the same certificate to authenticate to both the Mender and GCP servers. You can find details about that here: https://cloud.google.com/blog/products/iot-devices/mender-and-cloud-iot-facilitate-robust-device-update-management

The signing keys are generally not stored in any cloud for security reasons. In some highly secure setups they are stored in airgapped systems. The verification keys need to be installed on the device.

Drew

@evk1206, I think you best is to do what is suggested above