PKCS11 build indicator

[gerard-samuel]

Name of feature:

An indicator for when step-ca has PKCS11 features enabled

Pain or issue this feature alleviates:

While attempting to build the step-ca binary with Ansible, I could not easily determine if PKCS11 features were enabled.
Currently, there are no differentiators to determine if PKCS11 features are enabled.
With this change, the output changes to the following when built with CGO_ENABLED=1:

$ make bootstrap && make build GO_ENVS="CGO_ENABLED=1" VERSION="0.29.0"
$ ./bin/step-ca --version
Smallstep CA/0.29.0+hsm (linux/amd64)
Release Date: 2026-03-16 23:37 UTC

Why is this important to the project (if not answered above):

There should be a way to determine whether a binary has PKCS11 features. It will reduce troubleshooting time when building binaries.

Is there documentation on how to use this feature? If so, where?

N/A

In what environments or workflows is this feature supported?

I tested on both MacOS Sequoia (ARM64) and Proxmox VM (AMD64)

In what environments or workflows is this feature explicitly NOT supported (if any)?

N/A

Supporting links/other PRs/issues:

I posted my experience trying to determine if PKCS11 was available at the Smallstep Discord:
https://discord.com/channels/837031272227930163/841249977699401759/1469332654099795980

💔Thank you!

[hslatman]

Hey @gerard-samuel, thank you for opening the PR.

We think it's nice to able to show some more info, but we believe adding +hsm isn't strictly what it should be saying when it's "just" a CGo-enabled build. The fact that it includes support for HSMs is derived from CGO_ENABLED=1, transitively through the https://github.com/smallstep/crypto/blob/master/kms/pkcs11/pkcs11.go file, and, even then, I believe it's only directly through operations against HSM PKCS#11 modules.

I'll noodle on this for a bit and see if we can find a nice pattern that works for more use cases.

By the way, if you build the binary like below, you can inspect quite a bit of metadata using go version -m <binary>. E.g.:

$ go build -o step-ca ./cmd/step-ca
$ go version -m step-ca
step-ca: go1.26.0
	path	github.com/smallstep/certificates/cmd/step-ca
	mod	github.com/smallstep/certificates	v0.30.0-rc4.0.20260318011927-d4103d6626a6+dirty
	dep	cloud.google.com/go/auth	v0.18.2	h1:+Nbt5Ev0xEqxlNjd6c+yYUeosQ5TtEUaNcN/3FozlaM=
	dep	cloud.google.com/go/auth/oauth2adapt	v0.2.8	h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
	....
	dep	google.golang.org/genproto/googleapis/rpc	v0.0.0-20260226221140-a57be14db171	h1:ggcbiqK8WWh6l1dnltU4BgWGIGo+EVYxCaAPih/zQXQ=
	dep	google.golang.org/grpc	v1.79.2	h1:fRMD94s2tITpyJGtBBn7MkMseNpOZU8ZxgC3MMBaXRU=
	dep	google.golang.org/protobuf	v1.36.11	h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
	build	-buildmode=exe
	build	-compiler=gc
	build	DefaultGODEBUG=cryptocustomrand=1,tlssecpmlkem=0,urlstrictcolons=0
	build	CGO_ENABLED=1
	build	CGO_CFLAGS=
	build	CGO_CPPFLAGS=
	build	CGO_CXXFLAGS=
	build	CGO_LDFLAGS=
	build	GOARCH=arm64
	build	GOOS=darwin
	build	GOARM64=v8.0
	build	vcs=git
	build	vcs.revision=d4103d6626a6b1e95223610b7fc46757aaa255b8
	build	vcs.time=2026-03-18T01:19:27Z
	build	vcs.modified=true

Reading the CGO_ENABLED=1 value from the output could be a (temporary) workaround for you?
You can also use the -json flag to get the same output in JSON format.

P.S.: don't mind the vcs.modified=true; this is just my local build (without a version)