I'm wondering if it's possible to use rcodesign to notarize and sign macOS binaries with a private key stored in Google Cloud HSM. I see that #1 was implemented, but as far as I can tell this still requires a machine that has direct access to the private key.

Currently we sign Windows binaries using osslsigncode and Google's PKCS11 KMS library: https://github.com/GoogleCloudPlatform/kms-integrations.

What's nice about this setup is that:

1. Binaries can be signed on Linux systems in an automated fashion with open source tools.
2. The private key is never directly accessed and securely stored in a a cloud HSM.
3. The PKCS11 standard is well-supported with Amazon CloudHSM, Google Cloud HSM, and other HSMs.

I see that there is https://github.com/kenh/keychain-pkcs11 available. That library seems to be only for macOS, unfortunately. Is it possible to use this or some other PKCS11 provider with rcodesign?