Mark GritterHelp! I would like use use AWS CloudHSM to sign a Debian package. We currently have a gpg-based flow using reprepo to create an APT repository.
I cannot for the life of me figure out how to put all the pieces together. All the Debian tooling I can find assumes gpg. I don't see how to put a gpg or gpgme-shaped front end in front of CloudHSM.
But maybe I just don't know which of the available protocols is the correct one. (Is it PKCS11? The compatibility between various smartcard-based gpg use cases and CloudHSM does not seem very clear.)
I would greatly appreciate some pointers on how to put these pieces together. Surely some cryptography or AWS nerd has published a Medium article about this?