How can we perform code signing using an HSM with module-signer?

Module Development
21

UPDATE #2 2024-03-22

Hilarious, we still have some automation that successfully publishes to the Gradle Plugin Portal. It's up there under Perrry's personal account.

So there is probably no custom configuration needed in settings.gradle.kts if you are already pulling from GPP.

UPDATE 2024-03-22

That PR has been merged and the Gradle plugin published to our nexus.inductiveautomation.com public repo. Make sure your Gradle project is using 7.6 or later for it to run reliably.

To use our Nexus repository for plugin resolution, add the following configuration to your settings.gradle.kts and build.gradle.kts (if using the Gradle Groovy DSL the syntax is similar):

// settings.gradle.kts

pluginManagement {
    repositories {
        maven {
            name = "publicNexusRelease"
            url = uri("https://nexus.inductiveautomation.com/repository/inductiveautomation-releases")
        }

        // if you want to use snapshot builds of the plugin
        // maven {
        //             name = "publicNexusSnapshot"
        //             url = uri("https://nexus.inductiveautomation.com/repository/inductiveautomation-        // snapshots")
        //         }

        gradlePluginPortal()

        // and any other plugin repos you may be using
    }
}

// build.gradle.kts

plugins {
    // any other plugins
    id("io.ia.sdk.modl") version "0.2.0"
}

For the time being we are not publishing to the Gradle Plugin Portal, even though an older version of this plugin is published there now. We're considering this down the road after ironing out some process issues.

Draft PR is up on GitHub.

inductiveautomation/ignition-module-tools#43

22

Hello

I am trying to sign module using cloud HSM (gcp kms)

pkcs11 config file:

name = CloudKMS

library = /tmp/libkmsp11.so

slotListIndex = 0


attributes(*, CKO_PRIVATE_KEY, *) = {

  CKA_SIGN = true

}

-------

libkmsp11.so library config

tokens:

  - key_ring: "projects/${GCP_PROJECT}/locations/${KMS_KEY_LOCATION}/keyRings/${KMS_KEY_RING}"

--------

    gradle signModule \
      --certAlias ${KMS_KEY_NAME} \
      --certFile /tmp/signing.crt \
      --pkcs11CfgFile /tmp/pkcs11.cfg

error:
2026-04-29T13:38:23.747+0000 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] * What went wrong:
2026-04-29T13:38:23.748+0000 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] Execution failed for task ':signModule'.
2026-04-29T13:38:23.748+0000 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] > null cannot be cast to non-null type java.security.PrivateKey

SignModule.kt line 357
val privateKey: PrivateKey = keyStore.getKey( certAlias, certPassword?.toCharArray() ) as PrivateKey

23

I found my issue, it was in libkmsp11.so library config as per this I need to set generate_certs to true.