[arch-dev-public] Signing enclave
kristian at klausen.dk
Sat Jan 29 17:22:29 UTC 2022
The lack of package database signing was mentioned yet again and I think
it is time to get the "Signing enclave" project rolling.
A design was sketched two years ago, and based on that design I'm
proposing a new design, without a HSM, which should be implementable today.
The initial goal would be setting up the necessary infrastructure for us
to be able to implement package database signing. Afterwards we can
iterate and adapt the solution for more use-cases (ex: releng signing).
- Hosted on a Hetzner cloud VM as most of our infrastructure
- Managed by the DevOps team
- A master key is generated and stored encrypted in the infrastructure
- A subkey for signing is generated and stored encrypted in the
infrastructure repository and unencrypted on the signing server
- SSHing to a restricted UNIX user with ForceCommand=signing-script
- All signing operations are logged
- Only signing requests from gemini's WireGuard IP address is allowed
More information about the arch-dev-public