From b0835c3bd1fd26358645475bf0275b1d7d71773b Mon Sep 17 00:00:00 2001
From: Luke Klimek <zgroza@google.com>
Date: Mon, 12 Aug 2024 14:31:35 +0000
Subject: [PATCH] Add example way to implement ISigningStrategy using external
 KMS

---
 js/sign/README.md | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/js/sign/README.md b/js/sign/README.md
index 325f849e..75a09537 100644
--- a/js/sign/README.md
+++ b/js/sign/README.md
@@ -50,6 +50,9 @@ const { signedWebBundle } = await new wbnSign.IntegrityBlockSigner(
 
 // Option 3: With ones own CustomSigningStrategy class implementing
 // ISigningStrategy.
+// Example implementation of those two functionalities using Google Cloud KMS API:
+// sign: https://cloud.google.com/kms/docs/create-validate-signatures#create_signature
+// getPublicKey: https://cloud.google.com/kms/docs/create-validate-signatures#validate_ec_signature
 const { signedWebBundle } = await new wbnSign.IntegrityBlockSigner(
   webBundle,
   new (class {
@@ -78,7 +81,7 @@ import * as fs from 'fs';
 import * as wbnSign from 'wbn-sign';
 
 const privateKey = wbnSign.parsePemKey(
-  fs.readFileSync('./path/to/privatekey.pem', 'utf-8')
+  fs.readFileSync('./path/to/privatekey.pem', 'utf-8'),
 );
 
 // Web Bundle ID only:
@@ -86,7 +89,7 @@ const webBundleId = new wbnSign.WebBundleId(privateKey).serialize();
 
 // With origin, meaning "isolated-app://" combined with Web Bundle ID:
 const webBundleIdWithIWAOrigin = new wbnSign.WebBundleId(
-  privateKey
+  privateKey,
 ).serializeWithIsolatedWebAppOrigin();
 ```
 
@@ -104,15 +107,18 @@ This package also includes 2 CLI tools
 There are the following command-line flags available:
 
 - (required) `--private-key <filePath>` (`-k <filePath>`)  
-  which takes the path to ed25519 private key. If chosen format is `v2`, this can be specified multiple times.
+  which takes the path to ed25519 private key. If chosen format is `v2`, this
+  can be specified multiple times.
 - (required) `--input <filePath>` (`-i <filePath>`)  
   which takes the path to the web bundle to be signed.
 - (optional) `--output <filePath>` (`-o <filePath>`)  
   which takes the path to the wanted signed web bundle output. Default:
   `signed.swbn`.
 - (optional) `--version <version>`  
-  which can be either `v1` or `v2`, defaulting to `v1`. Sets the integrity block format.
-- (required if more than one key is provided) `--web-bundle-id <web-bundle-id>`  
+  which can be either `v1` or `v2`, defaulting to `v1`. Sets the integrity block
+  format.
+- (required if more than one key is provided)
+  `--web-bundle-id <web-bundle-id>`  
   which takes the `web-bundle-id` to be associated with the web bundle.
 
 Example commands: