poudriereakv

README

poudriereakv

This program can be configured as an external signing command in poudriere.conf to sign package repositories using a key stored in Azure Key Vault.

It takes one parameter: the key URI to be used for signing. Credentials can be passed in via the AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID variables; but unless it's for testing you'll want to use a managed service identity, which is used by default as long as there's only one (system- or user-managed) available.

This is not an official Microsoft project.

Badges

License

MIT

Documentation

Overview

Package poudriereakv implements signing of message digests using keys stored in Azure Key Vault.

Index

• type KeyVaultKey
  • func GetKey(uri string) (*KeyVaultKey, error)
  • func (k *KeyVaultKey) Sign(ctx context.Context, digest []byte) (Result, error)
• type Result

Types

type KeyVaultKey

type KeyVaultKey struct {
	PEMKey []byte // The public portion of the key in PEM encoding.
	// contains filtered or unexported fields
}

KeyVaultKey represents an RSA key pair stored in Azure Key Vault.

func GetKey

func GetKey(uri string) (*KeyVaultKey, error)

GetKey creates a KeyVaultKey representing a key pair stored in Azure Key Vault.

func (*KeyVaultKey) Sign

func (k *KeyVaultKey) Sign(ctx context.Context, digest []byte) (Result, error)

Sign signs the provided digest using this key.

type Result

type Result struct {
	KeyID     string // The versioned URI of the key used for this operation.
	Signature []byte // The PKCS#1 signature of the provided digest.
}

Result represents the result of an Azure Key Vault signing operation.