This shouldn't be too difficult, but probably involves branching quite a few additional packages for EPEL 10 since no sequoia stuff is there yet (sq and sqv are in RHEL proper).

Have you talked to Sequoia-PGP upstream about what you need and whether the keystore-server is a good fit? As far as I know, it's currently not even used in Fedora since I haven't made the necessary modifications in sq yet.

(In reply to Fabio Valentini from comment #1)
> This shouldn't be too difficult, but probably involves branching quite a few
> additional packages for EPEL 10 since no sequoia stuff is there yet (sq and
> sqv are in RHEL proper).
> 
> Have you talked to Sequoia-PGP upstream about what you need and whether the
> keystore-server is a good fit? As far as I know, it's currently not even
> used in Fedora since I haven't made the necessary modifications in sq yet.

I've not spoken with them about it, no, but I can describe why I'm using it. For the signing server, each signing key is encrypted with a server-generated secret. That secret is then encrypted with a user-specific password. A client starts a connection with the server and can request the server unlock keys which can then be used to sign things. This needs to happen per-connection.

For each connection, I create a keystore-server in which I load the encrypted key and then unlock it via the user password. Then, when that connection gets a signing request, it uses the keystore-server instance to sign the data. It keeps the decrypted key material in a separate process, which is nice, and each client is isolated from each other.