Support eHSM as an alternative KMS solution

[syan10]

Dear maintainers,

We've developed an SGX-based Cloud KMS (called as eHSM), eHSM is a cloud service to provide functionalities to manage keys and secrets by fully leveraging Intel SGX capability. It based on SGX SDK not LibOS, which has smaller TCB (Trusted Computing Base) and thus enhanced security. more details please see the follwoing link: https://github.com/intel/ehsm.git

we're investigating is it possible to upstream it into the cosign as an alternative KMS solution, if so, could you provide some guide or wikis to show how to do it? Thanks.

[znewman01]

See https://github.com/sigstore/sigstore/issues/1012

The sigstore/sigstore repo is the right place to track this.

Right now, we have to add every supported KMS provider over there. Per https://github.com/sigstore/sigstore/issues/386 we'd like to make it easy to plug in your own, but that work's not done yet.

Additionally, if you support KMIP then we could get support for free: https://github.com/sigstore/sigstore/issues/784

[haydentherapper]

We've completed https://github.com/sigstore/sigstore/issues/1658 to offer a plugin interface for KMS providers. Organizations can independently and privately develop & distribute their plugins without needing downstream updates to libraries to support additional KMS providers as build-time dependencies

See https://github.com/sigstore/sigstore/tree/main/pkg/signature/kms/cliplugin for more information and https://github.com/sigstore/sigstore/tree/main/test/cliplugin/localkms for an example.