On 13.05.2018 22:47, Christian Rebischke via arch-dev-public wrote:
We could just generate an automated cloud image signing key (only for this purpose) of course and automatically sign the images with that key. Problem with this is: If our build server ever get pwned the person will have these keys for signing cloud images as well. Any opinion about this?
We had that discussion some years ago about signing our pacman databases. I mostly remember that we didn't reach a consensus, but you might want to search the archives for details. At some point there was a proposal to have a dedicated signing host that is well protected and receives files and then returns the signature. I'm not sure if that was turned down or if there was simply nobody to work on this. Does anyone remember that?
I think this would be a viable option for us. We could also implement some form of rate limiting and sanity checks to ensure we only sign things that we want to sign. For example, only one ISO can be signed per month and the request must come from a specific IP. I probably won't do any implementation, but I'd offer to provide feedback and design help if someone wants to work on this. Assuming we first agree that we want to do it this way.