Re: Keys/Signature use in OSTree/Flatpak/Flathub

On Fri, Oct 7, 2016 at 12:35 PM, Colin Walters <walters verbum org> wrote:
On Wed, Oct 5, 2016, at 09:46 AM, Alexander Larsson wrote:

That way we would only ever need one key on the client side, but on the
server side one could chose to delegate signatures such that the main
key doesn't have to be on the system that signs the summary, or such
that a 3rd party can sign his app builds.

Practically speaking I'd expect people doing GPG in any kind of non-test
fashion to use HSMs etc.   So I'm not entirely sure what we'd be getting
with custom GPG delegation.

I think the point is that if you're doing anything nontrivial, then
you need to sign the summary file on the server. Since you can't
reliably mirror an ostree repo anywhere (cross your fingers with
rsync!), that pretty much means that the private key needs to be
available on your public facing server. Even if you have an HSM there,
the private key still has to be available to software running on a
server that's open to the public. That's always scared me and I've
tried to figure out many times how I could get out of that situation.
GPG delegation would at least allow you to move the private key
somewhere else.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]