#5870: rawhide signing
Fedora Release Engineering
rel-eng at fedoraproject.org
Wed Mar 19 19:43:49 UTC 2014
#5870: rawhide signing
------------------------------+-----------------------
Reporter: kevin | Owner: rel-eng@…
Type: task | Status: new
Milestone: Fedora 21 Final | Component: koji
Resolution: | Keywords: meeting
Blocked By: | Blocking:
------------------------------+-----------------------
Comment (by kevin):
So, there's (as always) a number of threats to consider.
Here's some of the things I don't like about that plugin:
Both the private key and passphrase are stored on the hub.
The hub is directly reachable by people on the net via it's web interface,
so in theory a compromise of the hub could gain an attacker not only a way
to sign whatever they want, but they could copy off the private key and
passphrase and sign whatever they want somewhere else.
The private key and passphrase are accessable to anyone who otherwise has
access to the machine (ie, an admin can copy off the private key and
passphrase and use them somewhere else, or have them stolen from somewhere
else).
Ideally the best way forward would be to work on sigul, and come up with a
way to do non interactive signing. That would at least make it so the
private keys are never exposed (they would only be on the sigul vault),
and no one could take the key and sign stuff elsewhere. We could also run
another system to do the signing requests and just have it watch builds
and sign them as it goes... that would mean the hub itself wouldn't know
the passphrase or how to sign things even.
--
Ticket URL: <https://fedorahosted.org/rel-eng/ticket/5870#comment:6>
Fedora Release Engineering <http://fedorahosted.org/rel-eng>
Release Engineering for the Fedora Project
More information about the rel-eng
mailing list