update: make --create-key work with a HSM

fdroidserver/common.py

@@ -3345,26 +3345,33 @@ def genkeystore(localconfig):
 
     env_vars = {'LC_ALL': 'C.UTF-8',
                 'FDROID_KEY_STORE_PASS': localconfig['keystorepass'],
-                'FDROID_KEY_PASS': localconfig['keypass']}
-    p = FDroidPopen([config['keytool'], '-genkey',
-                     '-keystore', localconfig['keystore'],
-                     '-alias', localconfig['repo_keyalias'],
-                     '-keyalg', 'RSA', '-keysize', '4096',
-                     '-sigalg', 'SHA256withRSA',
-                     '-validity', '10000',
-                     '-storepass:env', 'FDROID_KEY_STORE_PASS',
-                     '-keypass:env', 'FDROID_KEY_PASS',
-                     '-dname', localconfig['keydname'],
-                     '-J-Duser.language=en'], envs=env_vars)
+                'FDROID_KEY_PASS': localconfig.get('keypass', "")}
+
+    cmd = [config['keytool'], '-genkey',
+           '-keystore', localconfig['keystore'],
+           '-alias', localconfig['repo_keyalias'],
+           '-keyalg', 'RSA', '-keysize', '4096',
+           '-sigalg', 'SHA256withRSA',
+           '-validity', '10000',
+           '-storepass:env', 'FDROID_KEY_STORE_PASS',
+           '-dname', localconfig['keydname'],
+           '-J-Duser.language=en']
+    if localconfig['keystore'] == "NONE":
+        cmd += localconfig['smartcardoptions']
+    else:
+        cmd += '-keypass:env', 'FDROID_KEY_PASS'
+    p = FDroidPopen(cmd, envs=env_vars)
     if p.returncode != 0:
         raise BuildException("Failed to generate key", p.output)
-    os.chmod(localconfig['keystore'], 0o0600)
+    if localconfig['keystore'] != "NONE":
+        os.chmod(localconfig['keystore'], 0o0600)
     if not options.quiet:
         # now show the lovely key that was just generated
         p = FDroidPopen([config['keytool'], '-list', '-v',
                          '-keystore', localconfig['keystore'],
                          '-alias', localconfig['repo_keyalias'],
-                         '-storepass:env', 'FDROID_KEY_STORE_PASS', '-J-Duser.language=en'], envs=env_vars)
+                         '-storepass:env', 'FDROID_KEY_STORE_PASS', '-J-Duser.language=en']
+                        + config['smartcardoptions'], envs=env_vars)
         logging.info(p.output.strip() + '\n\n')
     # get the public key
     p = FDroidPopenBytes([config['keytool'], '-exportcert',

fdroidserver/init.py

@@ -215,6 +215,9 @@ def main():
                 f.write('name = OpenSC\nlibrary = ')
                 f.write(opensc_so)
                 f.write('\n')
+        logging.info("Repo setup using a smartcard HSM. Please edit keystorepass and repo_keyalias in config.py.")
+        logging.info("If you want to generate a new repo signing key in the HSM you can do that with 'fdroid update "
+                     "--create-key'.")
     elif os.path.exists(keystore):
         to_set = ['keystorepass', 'keypass', 'repo_keyalias', 'keydname']
         if repo_keyalias:

fdroidserver/update.py

@@ -2323,7 +2323,7 @@ def main():
         if 'keystorepass' not in config:
             config['keystorepass'] = password
             common.write_to_config(config, 'keystorepass', config['keystorepass'])
-        if 'keypass' not in config:
+        if 'keypass' not in config and not config['keystore'] == "NONE":
             config['keypass'] = password
             common.write_to_config(config, 'keypass', config['keypass'])
         common.genkeystore(config)