www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: Official code signing certificate
Date Mon, 01 Apr 2013 00:05:13 GMT
On Mon, Mar 25, 2013 at 7:48 PM, Clint Modien <cmodien@gmail.com> wrote:
> Should the key/cert ever be _suspected_ of being compromised and the key/cert needs to
be changed… it will invalidate the currently signed code running on users systems.
>

Is this true?  I know that the signing is verified at install time,
and that revocations might be checked at that time as well.  But I
didn't think that the signing had relevance after installation.
Certainly the outermost signature is no longer relevant, since it is
only used at install time.


> Some apps may not execute at all, some apps may not be able to update properly.
>
> I'm not sure if it's economical or not… but if the approach is to provide private keys
and certs to each project it might be wise for them to also be unique for each project.
>
> That way if a cert/key pair is compromised in one project it doesn't impact other projects.
>

Worth considering, IMHO.

-Rob

> Perhaps a protocol for simply requesting intial signing certs and a private key from
infra to be protected by a few members of the PMC?
>
> And infra could then provide a strongly worded wiki page about the protection of the
certs and keys and the consequences associated with compromised keys/certs.
>
> On Mar 25, 2013, at 10:27 AM, Clint Modien <cmodien@gmail.com> wrote:
>
>> When I worked on a project for Amazon the binaries were submitted via ssh to the
security department along with an md5 file for each binary.
>>
>> Before the project started I was required to produce a step by step document for
signing the code. (tools, downloads, setup)
>>
>> After the binaries were checked against their associated md5 hashes, security then
simply signed the binaries according to the process outlined in the document.
>>
>> I was told that the cert and private key were kept on a usb stick in a safe and the
protocols surrounding the handling of the usb stick were as strict as those used for nuclear
launch codes.
>>
>> I feel like the process to sign most code nowadays does not require the cert+key
be available during compilation… but I could be wrong.
>>
>> On Mar 25, 2013, at 9:06 AM, Rob Weir <robweir@apache.org> wrote:
>>>
>>> I like the idea of having multiple PMC members attest to the RC, by
>>> signing or whatever.  But we still would need to tie that back to a
>>> SVN revision number somehow.   In other words, how we do prove the
>>> revision number that was used to build the RC?
>>>
>>> Perhaps the flow is like this:
>>>
>>> 1) RC built by buildbot and that records the SVN revision.
>>>
>>> 2) Three PMC members sign the RC
>>>
>>> 3) Comparison of the MD5 hashes for the signed RC and the buildbot
>>> output confirms the revision that was used.
>>>
>>> 4) Infra then releases the signing cert for use by buildbot automation
>>> to rebuild the same revision
>>>
>>
>

Mime
View raw message