Skip to content
This repository was archived by the owner on May 18, 2026. It is now read-only.

Add --pkcs11-token flag to select PKCS11 token by label#1

Draft
Copilot wants to merge 1 commit into
masterfrom
copilot/add-pkcs11-token-flag
Draft

Add --pkcs11-token flag to select PKCS11 token by label#1
Copilot wants to merge 1 commit into
masterfrom
copilot/add-pkcs11-token-flag

Conversation

Copy link
Copy Markdown

Copilot AI commented May 12, 2026

When multiple PKCS11 tokens are present, there was no way to target a specific one by label — the engine would use whichever token it found first.

Changes

  • Program.cs: Registers --pkcs11-token <label> as an optional SingleValue option, wired into the SignPkcs11 dispatch path.
  • SignCommand.cs:
    • Added pkcs11Token parameter to SignPkcs11().
    • Passes resolved tokenLabel (nullable) to both GetSigningKeyFromPkcs11() and GetCertificateFromPkcs11().
    • Both helpers call ENGINE_ctrl_cmd_string(engine, "TOKEN_LABEL", tokenLabel, 0) before loading the key/cert when a label is provided.

Usage

OpenVsixSignTool sign \
  --pkcs11-module /usr/lib/pkcs11.so \
  --pkcs11-cert "my-cert" \
  --pkcs11-key "my-key" \
  --pkcs11-token "YubiKey PIV" \
  package.vsix

The flag is optional; omitting it preserves existing behaviour.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

@roblabla roblabla

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@roblabla