GCPSigner: Tweak import return value

Instead of being a constructor, import_() now returns the private key
URI and the public Key. This makes sense as
* it's still trivial to construct the Signer if needed
* In many cases we don't actually use the Signer at import time
* This works around the problem that a Signer instance might need a
  SecretsHandler
* This setup likely works for key generation as well

Author: jku

securesystemslib/signer/_gcp_signer.py

@@ -85,8 +85,12 @@ def from_priv_key_uri(
         return cls(uri.path, public_key)
 
     @classmethod
-    def import_(cls, gcp_keyid: str):
-        """Load signer (including public key) from KMS"""
+    def import_(cls, gcp_keyid: str) -> Tuple[str, Key]:
+        """Load key and signer details from KMS
+
+        Returns the private key uri and the public key. This method should only
+        be called once per key: the uri and Key should be stored for later use.
+        """
         if GCP_IMPORT_ERROR:
             raise exceptions.UnsupportedLibraryError(GCP_IMPORT_ERROR)
 
@@ -104,7 +108,7 @@ def import_(cls, gcp_keyid: str):
         keyid = _get_keyid(keytype, scheme, keyval)
         public_key = SSlibKey(keyid, keytype, scheme, keyval)
 
-        return cls(gcp_keyid, public_key)
+        return f"{cls.SCHEME}:{gcp_keyid}", public_key
 
     @staticmethod
     def _get_keytype_and_scheme(algorithm: int) -> Tuple[str, str]:

tests/check_kms_signers.py

@@ -65,8 +65,9 @@ def test_gcp_import(self):
         assign @jku.
         """
 
-        signer = GCPSigner.import_(self.gcp_id)
-        self.assertEqual(self.pubkey, signer.public_key)
+        uri, key = GCPSigner.import_(self.gcp_id)
+        self.assertEqual(key, self.pubkey)
+        self.assertEqual(uri, f"gcpkms:{self.gcp_id}")
 
 
 if __name__ == "__main__":