I currently generate code signatures for my open source package by using openssl.
The way I do it is :
Generate RSA private-public key pair (E.g. openssl genrsa)
During packaging , I create a signature by generating a sha-512 digest for the package and encrypting the digest using the private key ( E.g. openssl dgst -sign)
I give my public key to the person downloading the package , and they verify the package using my public key and the signature (E.g. openssl dgst -verify)
I am considering using a HSM server for storing my private key for increased security , but I want to keep the verification workflow the same for my users.
For example , I want my users to be able to verify the signature by using openssl without having to access the HSM device.
Would this workflow be possible with HSM type devices (E.g. CloudHSM from AWS)?
Thanks for your help.