Re: Keys/Signature use in OSTree/Flatpak/Flathub

From: Dan Nicholson <nicholson endlessm com>
To: Colin Walters <walters verbum org>
Cc: ostree-list gnome org
Subject: Re: Keys/Signature use in OSTree/Flatpak/Flathub
Date: Fri, 7 Oct 2016 13:05:22 -0700

On Fri, Oct 7, 2016 at 12:35 PM, Colin Walters <walters verbum org> wrote:

On Wed, Oct 5, 2016, at 09:46 AM, Alexander Larsson wrote:

That way we would only ever need one key on the client side, but on the
server side one could chose to delegate signatures such that the main
key doesn't have to be on the system that signs the summary, or such
that a 3rd party can sign his app builds.


Practically speaking I'd expect people doing GPG in any kind of non-test
fashion to use HSMs etc.   So I'm not entirely sure what we'd be getting
with custom GPG delegation.


I think the point is that if you're doing anything nontrivial, then
you need to sign the summary file on the server. Since you can't
reliably mirror an ostree repo anywhere (cross your fingers with
rsync!), that pretty much means that the private key needs to be
available on your public facing server. Even if you have an HSM there,
the private key still has to be available to software running on a
server that's open to the public. That's always scared me and I've
tried to figure out many times how I could get out of that situation.
GPG delegation would at least allow you to move the private key
somewhere else.

Follow-Ups:
- Re: Keys/Signature use in OSTree/Flatpak/Flathub
  - From: Colin Walters

References:
- Re: Keys/Signature use in OSTree/Flatpak/Flathub
  - From: Colin Walters
- Re: Keys/Signature use in OSTree/Flatpak/Flathub
  - From: Alexander Larsson
- Re: Keys/Signature use in OSTree/Flatpak/Flathub
  - From: Alexander Larsson
- Re: Keys/Signature use in OSTree/Flatpak/Flathub
  - From: Colin Walters

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]