feat: Use multiple yubikeys at same time #503
Conversation
.github/workflows/ci.yml
Outdated
| echo "install nfc /bin/false" | sudo tee -a /etc/modprobe.d/blacklist.conf | ||
| echo "install pn533 /bin/false" | sudo tee -a /etc/modprobe.d/blacklist.conf | ||
|
|
||
| - name: Build and install pyscard from source |
There was a problem hiding this comment.
I remember having to build pyscard from source a while back, but at some point, it was no longer necessary. If this is a temporary workaround, please create an issue and provide some details, so that we don't forget about it.
taf/repository_tool.py
Outdated
| serial = yk.get_serial_num(inserted_key) | ||
| else: | ||
| print(f"Final confirmation for {name} key") | ||
| serial = yk.verify_yubikey_serial() |
There was a problem hiding this comment.
I am currently unable to test this since I am not able to insert two yubikeys at the same time, but based on the code, it looks like you have to manually enter each of the yubikey's serial number. This is probably less user-friendly compared to having to remove and insert the devices. A bigger issue, however, is that we want to be able to sign metadata using YubiKeys plugged into our server. So, this should iterate over all inserted YubiKeys and simply try to sign using all of them, instead of asking for any input. So, let's say that you have timestamp and snapshot keys inserted and you need to sign timestamp metadata. We need to automatically detect the key that can sign the timestamp metadata. At the moment, the user will have to enter pins too, but we don't need to address that in this PR.
Description (e.g. "Related to ...", etc.)
Use multiple yubikeys at same time (Key generation, repo generation, target signing). Resolves issue #244
Code review checklist (for code reviewer to complete)