[arch-dev-public] Signing enclave
Kristian Klausen
kristian at klausen.dk
Sat Jan 29 17:22:29 UTC 2022
Hi all
The lack of package database signing was mentioned yet again and I think
it is time to get the "Signing enclave" project rolling.
A design was sketched two years ago[1], and based on that design I'm
proposing a new design, without a HSM, which should be implementable today.
The initial goal would be setting up the necessary infrastructure for us
to be able to implement package database signing. Afterwards we can
iterate and adapt the solution for more use-cases (ex: releng signing).
Hosting:
- Hosted on a Hetzner cloud VM as most of our infrastructure
- Managed by the DevOps team
Key management:
- A master key is generated and stored encrypted in the infrastructure
repository[2]
- A subkey for signing is generated and stored encrypted in the
infrastructure repository[2] and unencrypted on the signing server
Signing:
- SSHing to a restricted UNIX user with ForceCommand=signing-script
- All signing operations are logged
- Only signing requests from gemini's WireGuard IP address is allowed
[1] https://gitlab.archlinux.org/archlinux/signstar
[2] https://gitlab.archlinux.org/archlinux/infrastructure
Best regards
Kristian Klausen
More information about the arch-dev-public
mailing list