[arch-dev-public] Signing enclave

Allan McRae allan at archlinux.org
Sat Jan 29 23:11:30 UTC 2022

On 30/1/22 03:22, Kristian Klausen via arch-dev-public wrote:
> Hi all
> The lack of package database signing was mentioned yet again and I think 
> it is time to get the "Signing enclave" project rolling.
> A design was sketched two years ago[1], and based on that design I'm 
> proposing a new design, without a HSM, which should be implementable today.
> The initial goal would be setting up the necessary infrastructure for us 
> to be able to implement package database signing. Afterwards we can 
> iterate and adapt the solution for more use-cases (ex: releng signing).
> Hosting:
> - Hosted on a Hetzner cloud VM as most of our infrastructure
> - Managed by the DevOps team
> Key management:
> - A master key is generated and stored encrypted in the infrastructure 
> repository[2]
> - A subkey for signing is generated and stored encrypted in the 
> infrastructure repository[2] and unencrypted on the signing server
> Signing:
> - SSHing to a restricted UNIX user with ForceCommand=signing-script
> - All signing operations are logged
> - Only signing requests from gemini's WireGuard IP address is allowed
> [1] https://gitlab.archlinux.org/archlinux/signstar
> [2] https://gitlab.archlinux.org/archlinux/infrastructure

Do it!

If you get this done soon, I will write the dbscripts changes to 
automatically build for secondary archtiecture(s) for any package that 
is uploaded in the primary architecture only.  I can not guarantee I 
will have time in a month...


More information about the arch-dev-public mailing list