On Fri, 2014-05-23 at 09:18 -0400, Matthew Miller wrote: > On Fri, May 23, 2014 at 10:17:03AM +0200, Miroslav Suchý wrote: > > Hi guys, > > I would like to use obs-sign for signing packages in Copr. > > More generally, it'd be nice to have security review of this plan: > https://lists.fedoraproject.org/pipermail/infrastructure/2014-May/014345.html As far as I understand the plan in that e-mail is: "What we can have is have signing machine in VM with restrictive SW defined network. If that VM can be only one VM on host, then it would be great." That's really minimal information there. Is there a smart card being used? Where do the keys reside? What is the impact of a key leakage? Any way let me define some criteria: 1. audit (find out what was signed in time) 2. keys must not be exportable (no-one should get those keys) I've not mentioned accountability as I understand that only one user signs. For (2) I'd note that the most embarrassing issue on diginotar failure was the fact that they had no log of what was signed. Depending on the impact of such a leak, this may or may not be important. For (2) I don't think a VM satisfies the isolation from the internet, and cannot protect the keys. If the VM resides on a developer's machine, one may just copy it over the internet. On similar designs the keys are stored externally (smart cards or HSMs), and locked somewhere when not in use. regards, Nikos -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security