On 30/1/22 03:22, Kristian Klausen via arch-dev-public wrote:
Hi all
The lack of package database signing was mentioned yet again and I think it is time to get the "Signing enclave" project rolling.
A design was sketched two years ago[1], and based on that design I'm proposing a new design, without a HSM, which should be implementable today.
The initial goal would be setting up the necessary infrastructure for us to be able to implement package database signing. Afterwards we can iterate and adapt the solution for more use-cases (ex: releng signing).
Hosting: - Hosted on a Hetzner cloud VM as most of our infrastructure - Managed by the DevOps team
Key management: - A master key is generated and stored encrypted in the infrastructure repository[2] - A subkey for signing is generated and stored encrypted in the infrastructure repository[2] and unencrypted on the signing server
Signing: - SSHing to a restricted UNIX user with ForceCommand=signing-script - All signing operations are logged - Only signing requests from gemini's WireGuard IP address is allowed
[1] https://gitlab.archlinux.org/archlinux/signstar [2] https://gitlab.archlinux.org/archlinux/infrastructure
Do it! If you get this done soon, I will write the dbscripts changes to automatically build for secondary archtiecture(s) for any package that is uploaded in the primary architecture only. I can not guarantee I will have time in a month... Allan