www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <...@daniel.shahaf.name>
Subject Re: Official code signing certificate
Date Tue, 26 Mar 2013 11:55:33 GMT
Clint Modien wrote on Mon, Mar 25, 2013 at 16:48:41 -0700:
> Should the key/cert ever be _suspected_ of being compromised and the
> key/cert needs to be changed… it will invalidate the currently signed
> code running on users systems.  
> 

Well that raises a few more questions.

Should we have just one cert?  Or one cert per project, say?  If so,
(a) should each project's builds happen as a separate OS user?, (b)
would end-user systems recognise that? (maybe they limit the chain
depth?)

> Some apps may not execute at all, some apps may not be able to update properly.
> 
> I'm not sure if it's economical or not… but if the approach is to provide private keys
and certs to each project it might be wise for them to also be unique for each project.
> 
> That way if a cert/key pair is compromised in one project it doesn't impact other projects.
> 
> Perhaps a protocol for simply requesting intial signing certs and a
> private key from infra to be protected by a few members of the PMC?
> 
> And infra could then provide a strongly worded wiki page about the
> protection of the certs and keys and the consequences associated with
> compromised keys/certs.
> 

I'm not terribly fond of the idea of giving a PMC member a private
signing key in the name of the org.  We have enough trouble ensuring
committers keep their SSH key securely...

One option is secret sharing --- a 3-out-of-N signing scheme --- but I'm
not offhand aware of any implementations we can use.

Daniel

> On Mar 25, 2013, at 10:27 AM, Clint Modien <cmodien@gmail.com> wrote:
> 
> > When I worked on a project for Amazon the binaries were submitted via ssh to the
security department along with an md5 file for each binary.
> > 
> > Before the project started I was required to produce a step by step document for
signing the code. (tools, downloads, setup)
> > 
> > After the binaries were checked against their associated md5 hashes, security then
simply signed the binaries according to the process outlined in the document.
> > 
> > I was told that the cert and private key were kept on a usb stick in a safe and
the protocols surrounding the handling of the usb stick were as strict as those used for nuclear
launch codes.
> > 
> > I feel like the process to sign most code nowadays does not require the cert+key
be available during compilation… but I could be wrong.
> > 
> > On Mar 25, 2013, at 9:06 AM, Rob Weir <robweir@apache.org> wrote:
> >> 
> >> I like the idea of having multiple PMC members attest to the RC, by
> >> signing or whatever.  But we still would need to tie that back to a
> >> SVN revision number somehow.   In other words, how we do prove the
> >> revision number that was used to build the RC?
> >> 
> >> Perhaps the flow is like this:
> >> 
> >> 1) RC built by buildbot and that records the SVN revision.
> >> 
> >> 2) Three PMC members sign the RC
> >> 
> >> 3) Comparison of the MD5 hashes for the signed RC and the buildbot
> >> output confirms the revision that was used.
> >> 
> >> 4) Infra then releases the signing cert for use by buildbot automation
> >> to rebuild the same revision
> >> 
> > 
> 

Mime
View raw message