Signing: Server

This guide explains how to sign arbitrary files with signing keys that are stored in a security key or a Hardware Security Module (HSM).

At FMD, we use this to sign the ZIP files with the FMD Server release artifacts. This guide uses relatively "raw" tools: pkcs11-tool and openssl.

Prerequisites

A hardware token that exposes a PKCS#11 API. See the key management guide.
A pre-created private key on the hardware token.

Sign

First, get the Key ID of the key you want to sign with. This is necessary because pkcs11-tool does not support selecting a signing key by its label.

KEY_ID=$(pkcs11-tool --module ${MODULE} --token-label ${TOKEN} --list-objects --label ${KEY_ALIAS} --type pubkey | grep "ID:" | awk '{print $2}')

Read the User PIN to a variable.

read -s -p "Enter User PIN:" USER_PIN

Finally, hash the file using SHA-512 and sign the digest using ECDSA:

MODULE=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
TOKEN=my-token-label
FILE_NAME=server.zip

openssl dgst -sha512 -binary  ${FILE_NAME} | pkcs11-tool --module ${MODULE} --login --pin ${USER_PIN} --token-label ${TOKEN} --sign --id ${KEY_ID} --mechanism ECDSA --output-file "${FILE_NAME}.sig" --signature-format openssl

Inspect the signature

openssl asn1parse -in file.sig -inform DER -i

Export the public key

If you have not already, export the public key from your hardware token.

Verify the signature

openssl dgst -sha512 -keyform DER -verify "${KEY_ALIAS}.pub.der" -signature "${FILE_NAME}.sig" ${FILE_NAME}

Prerequisites​

Sign​

Inspect the signature​

Export the public key​

Verify the signature​

Prerequisites

Sign

Inspect the signature

Export the public key

Verify the signature