Evaluate scheme for ongoing SSH hostkey verification

The signing service host should have an SSH hostkey that is permanent (and does not change when updating the OS). For this purpose an overlay mount can be used to provide a permanent host key.

When looking at integration with the HSM as backend, one can also evaluate the use of ssh-openpgp-auth and PKCS#11 for the use of private key material.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

Evaluate scheme for ongoing SSH hostkey verification