Skip to main content

Build your own external signer executable

To build your own external signer executable:

  1. Read Input Data

    1. The tool reads raw claim bytes from stdin into a buffer. 

    2. These bytes represent the data to be signed.

  2. Compute Hash

    1. A SHA-256 hash is computed over the claim bytes (sha2::Sha256). 

    2. The resulting 32-byte digest is Base64-encoded, as required by the signing API.

  3. Obtain Signature Activation Data (SAD)

    1. Calls the SAD API (SAD_API_URL) to request a temporary SAD token. 

    2. This token authorizes signing operations for the given hash. 

    3. The request includes:

      1. credentialID

      2. PIN

      3. hash (in Base64)

    4. Authentication is handled via client certificate (mutual TLS). 

    5. The response provides a short-lived SAD string.

  4. Request Remote Signature

    1. Calls the Signing API (SIGNING_API_URL) with:

      1. The Base64 hash of the claim bytes. 

      2. The SAD token. 

      3. The signing algorithm (Ps256 / RSASSA-PSS).

    2. The service returns a Base64-encoded digital signature.

  5. Process and Output Signature

    1. The Base64 signature is decoded into raw bytes. 

    2. These raw signature bytes are written to stdout. 

    3. If any step fails, an error is logged, and the process exits with a non-zero status.

In this section: