Code signing

pvbdoornbos · April 28, 2016, 12:04pm

Hello Nitrokey,

Your devices look interesting…

I am looking for a solution to store an private key on an external device (“HSM”) to be used as part of a code signing procedure we are implementing.
Most preferable the solution can work as part of a software build chain for automatic signing of java archives.

Right now we have the issue that the private key used for signing is accessible for everyone that has access to the build servers.
This is bad, so the solution we are looking for should be able to protect the private key.
Java keystores won’t solve that as long as you have the password as you are able export everything with that password.

Being less known with all api’s around smart cards, the question is: are your smart-card api’s accessible from Java for the purpose of signing?

Awaiting your answer and best regards,

Bram Doornbos

jan · April 29, 2016, 3:29pm

In general yes, you can use Nitrokey from Java.
For Nitrokey Pro: Either execute GnuPG or use our PKCS#11 driver.
For Nitrokey HSM: Either execute gpg-sm, use our PKCS#11 driver, or use our JCE Provider (most easy).

pvbdoornbos · June 2, 2016, 9:33am

Apologies for late response, but thank you very much for the answer