mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
From: Bastian Krause <bst@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: rhi@pengutronix.de, Bastian Krause <bst@pengutronix.de>
Subject: [ptxdist] [PATCH 3/5] doc: move code signing docs from scripts/ into doc/
Date: Mon,  8 Jun 2020 10:53:03 +0200	[thread overview]
Message-ID: <20200608085305.30964-4-bst@pengutronix.de> (raw)
In-Reply-To: <20200608085305.30964-1-bst@pengutronix.de>

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 doc/dev_code_signing.rst             | 36 ++++++++++++++++++++++++++++
 doc/dev_manual.rst                   |  1 +
 scripts/lib/ptxd_lib_code_signing.sh | 32 ++-----------------------
 3 files changed, 39 insertions(+), 30 deletions(-)
 create mode 100644 doc/dev_code_signing.rst

diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst
new file mode 100644
index 000000000..de0087f8b
--- /dev/null
+++ b/doc/dev_code_signing.rst
@@ -0,0 +1,36 @@
+.. _code_signing:
+
+Code Signing
+------------
+
+This is an overview over the ptxdist signing infrastructure.
+ptxdist uses PKCS#11 internally for providing access to keys and certificates.
+Packages that wish to sign something should implement a PKCS#11 interface.
+
+As PKCS#11 URIs usually differ between different usecases (release vs.
+development) the URIs normally are not hardcoded in the package configuration.
+Instead, ptxdist has the idea of "roles" which are string identifiers used to
+access a single private/public key pair and a certificate.
+
+ptxdist supports Hardware Security Modules (HSM).
+In case a HSM is not present or shall not be used SoftHSM is used internally to
+transparently provide the same API internally.
+
+For each role a PKCS#11 URI must be known by ptxdist.
+In case of a HSM the keys and certificates are stored in the HSM, but ptxdist
+needs to know the PKCS#11 URI to access the keys.
+This is done in ptxdist rule files calling cs_set_uri <role> <uri>.
+For SoftHSM the URI is generated internally by ptxdist, but instead the
+keys/certificates for each role have have to be imported.
+This is done with the cs_import_* functions below.
+
+During each invocation of ptxdist exactly one key provider is active.
+The code signing provider can be chosen with the PTXCONF_CODE_SIGNING_PROVIDER
+variable.
+A code signing provider is a package resposible for providing the role <->
+PKCS#11 URI relationships in case a HSM is used or for providing the key
+material in case SoftHSM is used.
+
+A package which wants to sign something or which needs access to keys has to
+select CODE_SIGNING.
+This makes sure the keys are ready when the package is being built.
diff --git a/doc/dev_manual.rst b/doc/dev_manual.rst
index 47a77a9be..03a05a661 100644
--- a/doc/dev_manual.rst
+++ b/doc/dev_manual.rst
@@ -14,3 +14,4 @@ This chapter shows all (or most) of the details of how PTXdist works.
    dev_add_bin_only_files
    dev_create_new_pkg_templates
    dev_layers_in_ptxdist
+   dev_code_signing
diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index a7779f821..34d7251fd 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -7,36 +7,8 @@
 #
 
 #
-# This is an overview over the ptxdist signing infrastructure. ptxdist
-# uses PKCS#11 internally for providing access to keys and certificates.
-# Packages that wish to sign something should implement a PKCS#11 interface.
-#
-# As PKCS#11 URIs usually differ between different usecases (release vs.
-# development) the URIs normally are not hardcoded in the package
-# configuration. Instead, ptxdist has the idea of "roles" which are string
-# identifiers used to access a single private/public key pair and a
-# certificate.
-#
-# ptxdist supports Hardware Security Modules (HSM). In case a HSM is not
-# present or shall not be used SoftHSM is used internally to transparently
-# provide the same API internally.
-#
-# For each role a PKCS#11 URI must be known by ptxdist. In case of a HSM
-# the keys and certificates are stored in the HSM, but ptxdist needs to know
-# the PKCS#11 URI to access the keys. This is done in ptxdist rule files
-# calling cs_set_uri <role> <uri>. For SoftHSM the URI is generated internally
-# by ptxdist, but instead the keys/certificates for each role have have to
-# be imported. This is done with the cs_import_* functions below.
-#
-# During each invocation of ptxdist exactly one key provider is active. The
-# code signing provider can be chosen with the PTXCONF_CODE_SIGNING_PROVIDER
-# variable. A code signing provider is a package resposible for providing
-# the role <-> PKCS#11 URI relationships in case a HSM is used or for providing
-# the key material in case SoftHSM is used.
-#
-# A package which wants to sign something or which needs access to keys has
-# to select CODE_SIGNING. This makes sure the keys are ready when the package
-# is being built.
+# See doc/dev_code_signing.inc for documentation about ptxdist's code signing
+# infrastructure.
 #
 
 cs_check_env() {
-- 
2.27.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

  parent reply	other threads:[~2020-06-08  8:53 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-08  8:53 [ptxdist] [PATCH 0/5] Add code-signing-provider template, add code signing docs Bastian Krause
2020-06-08  8:53 ` [ptxdist] [PATCH 1/5] package templates: add code-signing-provider template Bastian Krause
2020-06-12  9:18   ` Michael Olbrich
2020-06-12  9:54     ` Michael Olbrich
2020-06-12 10:05       ` Michael Olbrich
2020-06-12 11:05         ` Bastian Krause
2020-06-17 14:45           ` Bastian Krause
2020-06-16 13:56     ` Bastian Krause
2020-06-16 15:00       ` Michael Olbrich
2020-06-08  8:53 ` [ptxdist] [PATCH 2/5] doc: dev_manual: split up into multiple files Bastian Krause
2020-06-08  8:53 ` Bastian Krause [this message]
2020-06-08  8:53 ` [ptxdist] [PATCH 4/5] doc: dev_code_signing: rework and extend code signing section Bastian Krause
2020-06-08 10:16   ` Roland Hieber
2020-06-12  8:55     ` Bastian Krause
2020-06-08  8:53 ` [ptxdist] [PATCH 5/5] doc: introduce ref_code_signing_helpers Bastian Krause
2020-06-12  9:28   ` Michael Olbrich
2020-06-12  9:49   ` Michael Olbrich
2020-06-08 10:17 ` [ptxdist] [PATCH 0/5] Add code-signing-provider template, add code signing docs Roland Hieber
2020-06-09 15:04   ` Ladislav Michl
2020-06-12 10:04 ` Michael Olbrich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200608085305.30964-4-bst@pengutronix.de \
    --to=bst@pengutronix.de \
    --cc=ptxdist@pengutronix.de \
    --cc=rhi@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox