Add yubico-piv-tool in tools #3595
Conversation
|
I don't think we should work around limitations in opensc in mkosi. Please work with opensc to make it work with retired slots. |
|
There is an open issue for that: OpenSC/OpenSC#3287 and I agree it would be better to have a proper fix in opensc, but until then it would be nice to just be able to sign the images. Is there anything blocking except it isn't the perfect solution ? Can it be included until the issue is fixed ? |
|
Another solution would be a way to set some extra files for the tools tree |
|
@p1gp1g There's ToolsTreePrepareScripts= now, you can use that to make whatever changes you want locally |
|
Thanks, I wasn't aware of this option, it will do the job 👍 |
|
For anyone seing this PR: it wasn't possible to use opensc because of the missing context and yubico manual to restore slots history wasn't correct. It is possible to restore it with this: $ echo C10114C20100FE00 | xxd -r -p | ykman --device myserial piv objects import 0x5FC10C - --management-key '[...]' --pin '[...]' |
2 participants
OpenSC works fine when using the main signing slot of yubikeys, but doesn't work with "retired slots". Adding yubico-piv-tool allows to do it with other slots as well.
Retired slots for yubikeys can be used to store keys used for different purposes. For example, someone may use the main signing slot to sign packages or libraries, and want to use a different key for secure boot. This other key can be stored in Retired Slot 1.
I think Yubikeys are common hardware that can be used to sign images with mkosi, so it makes sense to have it in the tools image.