Add support for production signing with Azure Key Vault #108
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Sankaranarayanan Venkatasubramanian [email protected]
Description of the changes
This change enables production signing with Azure Key Vault's Managed HSM. The
gsc.py
script is modified to take akeytype
parameter that will usepem
for local private key andakv
for Azure Key Vault.Please also see gramineproject/gramine#1020 for the changes to
gramine-sgx-sign
This change replaces the Dockerfile template used for signing with two different templates - one for local signing (default) and the other one for signing with Azure Key Vault.
In case of Azure Key Vault, we currently enable signing only for login with az-cli. So, the corresponding Dockerfile installs the AKV related packages and invokes
az login
. This will prompt an authentication during the signing stage and will wait until the authentication succeeds (or fails) - please see below. (This will be revisited later once we have managed identity working with Azure subscription).Related issues in Gramine:
How to test this PR?
Please apply gramineproject/gramine#1020 and build Gramine with the corresponding changes. And, run
./gsc sign-image --keytype akv --key vault_url:keyname <unsigned gramine image>
to test.This change is