[arch-dev-public] Signing enclave

Kristian Klausen kristian at klausen.dk
Sat Jan 29 17:22:29 UTC 2022


Hi all

The lack of package database signing was mentioned yet again and I think 
it is time to get the "Signing enclave" project rolling.

A design was sketched two years ago[1], and based on that design I'm 
proposing a new design, without a HSM, which should be implementable today.

The initial goal would be setting up the necessary infrastructure for us 
to be able to implement package database signing. Afterwards we can 
iterate and adapt the solution for more use-cases (ex: releng signing).

Hosting:
- Hosted on a Hetzner cloud VM as most of our infrastructure
- Managed by the DevOps team

Key management:
- A master key is generated and stored encrypted in the infrastructure 
repository[2]
- A subkey for signing is generated and stored encrypted in the 
infrastructure repository[2] and unencrypted on the signing server

Signing:
- SSHing to a restricted UNIX user with ForceCommand=signing-script
- All signing operations are logged
- Only signing requests from gemini's WireGuard IP address is allowed

[1] https://gitlab.archlinux.org/archlinux/signstar
[2] https://gitlab.archlinux.org/archlinux/infrastructure

Best regards
Kristian Klausen


More information about the arch-dev-public mailing list