Hello,
I was wondering if someone at Digi is interested supporting PKCS11 enabled Hardware security module (HSM) as an optional feature to store the signing keys. Using an HSM like the yubico HSM2 to sign the images with trustfence instead of using a key file on Disk could significantly increase the confidentiality of the signing keys and also allow signing in the cloud without uploading the private keys to an potentially untrusted cloud environment used for building. The Code Signing Tool (CST) from NXP already supports this and we were able to showcase the feasibility of such an approach internally, with an Yubico HSM and a modified version of Trustfence. In case Digi would be interested in making this an upstream feature feel free to contact us to discuss the details