ExIcaoVds.Signers.Vault
(ex_icao_vds v0.3.2)
Copy Markdown
Signing backend using HashiCorp Vault Transit secrets engine.
Signs the payload by pre-hashing locally (SHA-256) and calling the Vault
Transit /sign endpoint with prehashed: true. The response DER signature
is stored directly in the SignatureZone.
Config keys
| Key | Description |
|---|---|
:vault_addr | Vault server base URL, e.g. "https://vault.example.com" |
:token | Vault token string, or {:system, "ENV_VAR"} for env-based resolution |
:key_name | Transit key name (required) |
:mount_path | Transit mount path (default "transit") |
:algorithm | :ecdsa_p256_sha256 (default) |
:signer_identifier | Written into the VDS header |
:key_reference | Written into the VDS header |
:receive_timeout | HTTP timeout in ms (default 5_000) |
:tls_verify | :verify_peer (default) or :verify_none |