[arch-dev-public] Signing enclave
Allan McRae
allan at archlinux.org
Sat Jan 29 23:11:30 UTC 2022
On 30/1/22 03:22, Kristian Klausen via arch-dev-public wrote:
> Hi all
>
> The lack of package database signing was mentioned yet again and I think
> it is time to get the "Signing enclave" project rolling.
>
> A design was sketched two years ago[1], and based on that design I'm
> proposing a new design, without a HSM, which should be implementable today.
>
> The initial goal would be setting up the necessary infrastructure for us
> to be able to implement package database signing. Afterwards we can
> iterate and adapt the solution for more use-cases (ex: releng signing).
>
> Hosting:
> - Hosted on a Hetzner cloud VM as most of our infrastructure
> - Managed by the DevOps team
>
> Key management:
> - A master key is generated and stored encrypted in the infrastructure
> repository[2]
> - A subkey for signing is generated and stored encrypted in the
> infrastructure repository[2] and unencrypted on the signing server
>
> Signing:
> - SSHing to a restricted UNIX user with ForceCommand=signing-script
> - All signing operations are logged
> - Only signing requests from gemini's WireGuard IP address is allowed
>
> [1] https://gitlab.archlinux.org/archlinux/signstar
> [2] https://gitlab.archlinux.org/archlinux/infrastructure
>
Do it!
If you get this done soon, I will write the dbscripts changes to
automatically build for secondary archtiecture(s) for any package that
is uploaded in the primary architecture only. I can not guarantee I
will have time in a month...
Allan
More information about the arch-dev-public
mailing list