On 2021-11-01 18:49:48 (+0100), Pierre Schmitz via arch-dev-public wrote:
On Mon, Nov 1, 2021 at 5:10 PM David Runge <dave@sleepmap.de> wrote:
... use an ephemeral PGP key (which is fine, as it is not relevant whether it is a specific PGP key, only that the *correct* PGP key is used to validate the root image).
Thanks for your insights. I think I now found the missing peaces. Using an ephemeral key made it much more easy. I created it as it is done in https://gitlab.archlinux.org/archlinux/archiso/-/blob/master/.gitlab/ci/buil... (not part of archiso itself, so I got confused) I re-uploaded the arch folder. Let's hope that should fix the issue.
Cool, glad you could fix it! :) Yes, the key has to be provided during build time, which is possible, but starts getting a bit ugly once one is switching user contexts (nl6720 uses that type of setup from time to time, if you have questions). The build runs on a secure runner as root (in a VM in a container). There are still a few things preventing us from being able to run archiso without root [1].
Still, doesn't this show we do not really need GPG to achieve verification? We currently use _verify_signature() in mkinicpio-archiso, but shouldn't _verify_checksum() be as secure without the hassle to involve GPG?
Hm, I would argue that PGP is cryptographically strong, is already implemented for this use-case and works (TM). Unless someone comes up with an equal or better solution that we can use there, I guess it is the way for us to do this currently. Additionally, this is already solved and automated within the context of releng and I believe a good way forward would be to establish a workflow in which we rely on the automatically built artifacts. As pointed out by you in your initial mail, you are currently the only person responsible for the openssl based codesigning certificate. All we need to do is create a new one following the workflow described in the README of the releng project and start using it (which conveniently also raises the bus factor for this a bit). What do you think? :) Best, David [1] https://gitlab.archlinux.org/archlinux/archiso/-/issues/40 -- https://sleepmap.de