Review of obs-sign
Nikos Mavrogiannopoulos
nmav at redhat.com
Fri May 23 15:24:25 UTC 2014
On Fri, 2014-05-23 at 09:18 -0400, Matthew Miller wrote:
> On Fri, May 23, 2014 at 10:17:03AM +0200, Miroslav Suchý wrote:
> > Hi guys,
> > I would like to use obs-sign for signing packages in Copr.
>
> More generally, it'd be nice to have security review of this plan:
> https://lists.fedoraproject.org/pipermail/infrastructure/2014-May/014345.html
As far as I understand the plan in that e-mail is:
"What we can have is have signing machine in VM with restrictive SW
defined network. If that VM can be only one VM on
host, then it would be great."
That's really minimal information there. Is there a smart card being
used? Where do the keys reside? What is the impact of a key leakage?
Any way let me define some criteria:
1. audit (find out what was signed in time)
2. keys must not be exportable (no-one should get those keys)
I've not mentioned accountability as I understand that only one user
signs.
For (2) I'd note that the most embarrassing issue on diginotar failure
was the fact that they had no log of what was signed. Depending on the
impact of such a leak, this may or may not be important.
For (2) I don't think a VM satisfies the isolation from the internet,
and cannot protect the keys. If the VM resides on a developer's machine,
one may just copy it over the internet. On similar designs the keys are
stored externally (smart cards or HSMs), and locked somewhere when not
in use.
regards,
Nikos
More information about the security
mailing list