RFC: Remote signing support for mkimage

[Peter Robinson]

Hi Daniel,

> I wanted to check whether a patch I'd like to submit to mkimage to better support remote secure signing servers would be acceptable for upstream.
>
> Currently, we support this capability via a custom PKCS#11 module via an OpenSSL engine. The migration to OpenSSL 3 (and the need to upgrade our libp11 dependency) is going to force major changes on our end, as newer releases of libp11 no longer reliably support signing with our OpenSSL engine/custom PKCS#11 module. The libp11 maintainers have explicitly stated they only support OpenSSL engines on a best-effort basis.
>
> It seems to me that the ideal solution would be support for a 3-step signing flow in mkimage:
>
> 1. mkimage --emit-hashes — emits all hashes that need to be signed
> 2. External signing tooling produces signatures
> 3. mkimage --inject-signatures — signatures for each hash are provided, validated against a provided public key, and injected back into the image
>
> We're aware the OpenSSL provider system is a potential uplift path, but we believe a tooling-agnostic signing interface would be more accessible to organizations with diverse signing infrastructure, avoiding the need to implement and maintain custom OpenSSL plugin code entirely. We'd also prefer not to resort to workarounds such as signing with a throwaway key and manually extracting/re-injecting signatures.
>
> If this direction seems acceptable, or if you're open to the idea but have concerns about the approach, I'd welcome your feedback before investing time in a full patch.

I think the ability to do remote signing functionality would be fine.
It might be useful to go into a bit more details of what you're
thinking here, is there open standards/APIs for this sort of
integration? Most of what I'm aware of, and it's been some time since
I looked, was either using PKCS interfaces or proprietary
APIs/libraries, the later IMO would not be appropriate.

Regards,
Peter