Mailing List Archive

https://bugzilla.mindrot.org/show_bug.cgi?id=3613

--- Comment #17 from aim@orbit.online ---
Created attachment 3811
--> https://bugzilla.mindrot.org/attachment.cgi?id=3811&action=edit
Dockerfile

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3613

--- Comment #18 from aim@orbit.online ---
Yes!! Thank you Damien. This works perfectly!

I only just now had the extra time to get back to it.

I can confirm that I am now able to sign a peer PKCS#11 pubkey with a
CA PKCS#11 key, use the resulting certificate and the peer PKCS#11 key
to sign a file, and then verify that the file has been signed by the
peer and that the peer is trusted through a "cert-authority" in the
allow signers file.

I have attached a Dockerfile and a test script which functionally tests
everything and also demos how it all works together. It can be run with
`docker run --rm $(docker build -q .)`.

The "Good "file" signature for Peer with RSA-CERT key SHA256:..." is
what to look for in the logs.

Again, thank you for your hard work Damien, in a corporate context we
can now do short lived ssh-certs for git commit signing and pushing
while the key itself can reside on a e.g. a YubiKey or a TPM.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs