www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Clint Modien <cmod...@gmail.com>
Subject Re: Official code signing certificate
Date Mon, 25 Mar 2013 23:48:41 GMT
Should the key/cert ever be _suspected_ of being compromised and the key/cert needs to be changed…
it will invalidate the currently signed code running on users systems.  

Some apps may not execute at all, some apps may not be able to update properly.

I'm not sure if it's economical or not… but if the approach is to provide private keys and
certs to each project it might be wise for them to also be unique for each project.

That way if a cert/key pair is compromised in one project it doesn't impact other projects.

Perhaps a protocol for simply requesting intial signing certs and a private key from infra
to be protected by a few members of the PMC?

And infra could then provide a strongly worded wiki page about the protection of the certs
and keys and the consequences associated with compromised keys/certs.

On Mar 25, 2013, at 10:27 AM, Clint Modien <cmodien@gmail.com> wrote:

> When I worked on a project for Amazon the binaries were submitted via ssh to the security
department along with an md5 file for each binary.
> Before the project started I was required to produce a step by step document for signing
the code. (tools, downloads, setup)
> After the binaries were checked against their associated md5 hashes, security then simply
signed the binaries according to the process outlined in the document.
> I was told that the cert and private key were kept on a usb stick in a safe and the protocols
surrounding the handling of the usb stick were as strict as those used for nuclear launch
> I feel like the process to sign most code nowadays does not require the cert+key be available
during compilation… but I could be wrong.
> On Mar 25, 2013, at 9:06 AM, Rob Weir <robweir@apache.org> wrote:
>> I like the idea of having multiple PMC members attest to the RC, by
>> signing or whatever.  But we still would need to tie that back to a
>> SVN revision number somehow.   In other words, how we do prove the
>> revision number that was used to build the RC?
>> Perhaps the flow is like this:
>> 1) RC built by buildbot and that records the SVN revision.
>> 2) Three PMC members sign the RC
>> 3) Comparison of the MD5 hashes for the signed RC and the buildbot
>> output confirms the revision that was used.
>> 4) Infra then releases the signing cert for use by buildbot automation
>> to rebuild the same revision

View raw message