[arch-dev-public] Signing enclave
allan at archlinux.org
Sat Jan 29 23:11:30 UTC 2022
On 30/1/22 03:22, Kristian Klausen via arch-dev-public wrote:
> Hi all
> The lack of package database signing was mentioned yet again and I think
> it is time to get the "Signing enclave" project rolling.
> A design was sketched two years ago, and based on that design I'm
> proposing a new design, without a HSM, which should be implementable today.
> The initial goal would be setting up the necessary infrastructure for us
> to be able to implement package database signing. Afterwards we can
> iterate and adapt the solution for more use-cases (ex: releng signing).
> - Hosted on a Hetzner cloud VM as most of our infrastructure
> - Managed by the DevOps team
> Key management:
> - A master key is generated and stored encrypted in the infrastructure
> - A subkey for signing is generated and stored encrypted in the
> infrastructure repository and unencrypted on the signing server
> - SSHing to a restricted UNIX user with ForceCommand=signing-script
> - All signing operations are logged
> - Only signing requests from gemini's WireGuard IP address is allowed
>  https://gitlab.archlinux.org/archlinux/signstar
>  https://gitlab.archlinux.org/archlinux/infrastructure
If you get this done soon, I will write the dbscripts changes to
automatically build for secondary archtiecture(s) for any package that
is uploaded in the primary architecture only. I can not guarantee I
will have time in a month...
More information about the arch-dev-public