Optional PCKS#11 for signing with Yubikey/Trezor etc.

Question

lrvick opened this issue 6 years ago · 2 comments

Answer 1 · 2018-12-17T10:26:43.000Z

Will need to adapt image signing tools to use a scheme like the following: https://developers.yubico.com/PIV/Guides/Android_code_signing.html

Answer 2 · 2019-09-02T14:13:12.000Z

I looked into this briefly, and wrote down my findings at https://gitlab.com/calyxos/calyxos/wikis/Offline-signing

TL;DR:

Some AOSP scripts will need slight modifications
Need a signapk which supports keys stored on dedicated hardware
Need to write an external program that's called by avbtool to sign things using keys stored on dedicated hardware.