'smartcardoptions' config item for setting up HSMs with fdroid

These options are needed to configure Java's keytool and jarsigner to use
a Hardware Security Module aka HSM aka smartcard.  The defaults provided
are meant to make things work as easily as possible.

examples/config.py

@@ -59,9 +59,19 @@ of applications from the main repository.
 # jarsigner using -alias.  (Not needed in an unsigned repository).
 #repo_keyalias = "fdroidrepo"
 
-#The keystore to use for release keys when building. This needs to be
-#somewhere safe and secure, and backed up!
-#keystore = "/home/me/.local/share/fdroidserver/keystore.jks"
+# The keystore to use for release keys when building. This needs to be
+# somewhere safe and secure, and backed up!  The best way to manage these
+# sensitive keys is to use a "smartcard" (aka Hardware Security Module). To
+# configure FDroid to use a smartcard, set the keystore file using the keyword
+# "NONE" (i.e. keystore = "NONE").  That makes Java find the keystore on the
+# smartcard based on 'smartcardoptions' below.
+#keystore = "~/.local/share/fdroidserver/keystore.jks"
+
+# You should not need to change these at all, unless you have a very
+# customized setup for using smartcards in Java with keytool/jarsigner
+#smartcardoptions = "-storetype PKCS11 -providerName SunPKCS11-OpenSC \
+#    -providerClass sun.security.pkcs11.SunPKCS11 \
+#    -providerArg opensc-fdroid.cfg"
 
 # The password for the keystore (at least 6 characters).  If this password is
 # different than the keypass below, it can be OK to store the password in this

fdroidserver/common.py

@@ -54,6 +54,16 @@ def read_config(opts, config_file='config.py'):
     logging.debug("Reading %s" % config_file)
     execfile(config_file, config)
 
+    # smartcardoptions must be a list since its command line args for Popen
+    if 'smartcardoptions' in config:
+        config['smartcardoptions'] = config['smartcardoptions'].split(' ')
+    elif 'keystore' in config and config['keystore'] == 'NONE':
+        # keystore='NONE' means use smartcard, these are required defaults
+        config['smartcardoptions'] = ['-storetype', 'PKCS11', '-providerName',
+                                      'SunPKCS11-OpenSC', '-providerClass',
+                                      'sun.security.pkcs11.SunPKCS11',
+                                      '-providerArg', 'opensc-fdroid.cfg']
+
     defconfig = {
         'sdk_path': "$ANDROID_HOME",
         'ndk_path': "$ANDROID_NDK",
@@ -67,6 +77,7 @@ def read_config(opts, config_file='config.py'):
         'repo_maxage': 0,
         'build_server_always': False,
         'keystore': '$HOME/.local/share/fdroidserver/keystore.jks',
+        'smartcardoptions': [],
         'char_limits': {
             'Summary' : 50,
             'Description' : 1500

fdroidserver/update.py

@@ -642,7 +642,8 @@ def make_index(apps, apks, repodir, archive, categories):
             p = FDroidPopen(['keytool', '-exportcert',
                                   '-alias', config['repo_keyalias'],
                                   '-keystore', config['keystore'],
-                                  '-storepass:file', config['keystorepassfile']])
+                                  '-storepass:file', config['keystorepassfile']]
+                            + config['smartcardoptions'])
             if p.returncode != 0:
                 logging.critical("Failed to get repo pubkey")
                 sys.exit(1)
@@ -799,7 +800,8 @@ def make_index(apps, apks, repodir, archive, categories):
             '-storepass:file', config['keystorepassfile'],
             '-keypass:file', config['keypassfile'],
             '-digestalg', 'SHA1', '-sigalg', 'MD5withRSA',
-            os.path.join(repodir, 'index.jar') , config['repo_keyalias']])
+            os.path.join(repodir, 'index.jar') , config['repo_keyalias']]
+            + config['smartcardoptions'])
         # TODO keypass should be sent via stdin
         if p.returncode != 0:
             logging.info("Failed to sign index")