[arch-dev-public] Automatic Signing of ISOs, pacman databases and everything else (was: Arch Linux Cloud Images (virtualbox and Qemu))

Florian Pritz bluewind at xinu.at
Wed Nov 7 11:47:00 UTC 2018 

On Tue, May 15, 2018 at 05:25:07PM +0200, Florian Pritz via arch-dev-public <arch-dev-public at archlinux.org> wrote:
> On 13.05.2018 22:47, Christian Rebischke via arch-dev-public wrote:
> > We could just generate an automated cloud image signing key (only for
> > this purpose) of course and automatically sign the images with that key.
> > Problem with this is: If our build server ever get pwned the person will
> > have these keys for signing cloud images as well. Any opinion about
> > this?
> 
> We had that discussion some years ago about signing our pacman
> databases. I mostly remember that we didn't reach a consensus, but you
> might want to search the archives for details. At some point there was a
> proposal to have a dedicated signing host that is well protected and
> receives files and then returns the signature. I'm not sure if that was
> turned down or if there was simply nobody to work on this. Does anyone
> remember that?
> 
> I think this would be a viable option for us. We could also implement
> some form of rate limiting and sanity checks to ensure we only sign
> things that we want to sign. For example, only one ISO can be signed per
> month and the request must come from a specific IP. I probably won't do
> any implementation, but I'd offer to provide feedback and design help if
> someone wants to work on this. Assuming we first agree that we want to
> do it this way.

After the topic was raised again in #archlinux-dev I've created a POC
script which you can view here:
https://git.server-speed.net/users/flo/alass/tree/alass

There are still various open steps to actually put this to use:
 - Create an ansible role that deploys the script + configures an SSH
   user for it (including GPG key)
 - Determine if and how we want to extend the verification logic in
   allowed_to_sign(). We may want to verify the content of the tarball
   (if the signed file is a package), ratelimit the requests or perform
   some other checks. Right now it verifies the file name, but that is
   not part of the signature, so it can easily be faked.  We can
   implement some restrictions via SSH (limit the remote IP to e.g.
   orion.archlinux.org and obviously use an SSH key for authentication),
   but any checks of the data have to be performed in the script.
 - Once we are happy with it all, we need to set up a dedicated host
   (I'd suggest a small vm @hetzner), create a new GPG key and get it
   signed by our master keys. Then we can start automatically signing
   things.

If anyone wants to help with any of these steps (especially the
verification logic) please post here or talk to me on IRC. If you have
ideas what/how to verify things, also please post and keep in mind that
we should aim for simple checks since those are less likely to result in
security issues. This script essentially receives untrusted input.

Florian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20181107/495c034c/attachment-0001.asc>

More information about the arch-dev-public mailing list