www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: Official code signing certificate
Date Fri, 12 Apr 2013 15:40:49 GMT
On Fri, 22 Mar 2013 10:44:45 -0400
Rob Weir <robweir@apache.org> wrote:

> The remaining question would be if we need any safeguards against
> hypothetical compromised committer accounts.
> I think we want to avoid something like this:
> 1) Someone acquires login credentials for a committer, e.g., they use
> the same password at Apache as they use for some other web service
> that is hacked.
> 2) They check-in a backdoor into the code
> 3) Before CTR finds the problem the buildbots have built and signed
> the executables and the hacker has downloaded them.
> 4) We have malicious code now distributed signed with the Apache
> certificate.

The solution is for this is to only allow the code signing service
to sign gpg-crypted artifacts.  The providence of the code, which
committer submitted it for signing, is recorded.

> You might think that we'd vote on the RC and only sign it after that.
> But that doesn't work because the signature is applied at multiple
> levels of the packaging.  So the individual EXE and DLL's are signed,
> as well as the installer and the outermost archive packaging.

It is reasonably straightforward (using Windows, specifically) to;

  1. unpack the .msi
  2. unpack the embedded diamond-compressed .cab (or .zip/war's) 
  3. sign .dll and .exe artifacts
  4. recompress the .cab (or .zip/war's)
  5. repack the .msi with the replacement .cab

That's what I had envisioned several years ago that such a service
would do on the ASF side.  Check in a package to the signing service's
svn inbox, the signing service checks in signed packages in return.
Everything is tracked by ASF creds and gpg creds (2 factor).

Symantec also created such a service and later offered it to the ASF
for free.  The primary delta between an ASF-created service and the
Symantec code signing service, is that Symantec creates per-package
(or per-binary) certs which *are* individually revocable without ever
needing to revoke the ASF-wide key.  The service is commercially some
$20k/yr.  It was offered to the ASF for free over a year ago.

The third competing design suggests a way for committers, without
audit, to sign packages themselves using a single-factor auth scheme,
using the ASF-wide cert.  This seems really unwise to me.

Again summarizing the archives for your benefit.

View raw message