On 06/04/2014 11:38 PM, Pavel Kankovsky wrote:
Let us assume an attacker who got to the point where he or she would able
to steal the key if it stayed on the build system and were not stashed in
the oracle. It seems to me such an attacker would probably be able to coax
Key will *not* be stored in build system. Just in Signing machine.
Is there a way to neutralize such packages that does not involve explicit
replacement of signing keys on every system trusting the abused keys?
I am not aware of any method.
Second, one can keep a trusted record of all signing operations at the
oracle. It would not protect keys against abuse but at least it could make
it possible to determine--after the fact--whether a particular key has
been abused. (This has been already mentioned by Nikos Mavrogiannopoulos.)
obs-sign appears to record every operation but signed data are represented
by their hash. I think it would be better if more detailed information
about the data, perhaps a complete copy, were recorded. On the other hand,
that would make it necessary to transfer a complete file from the client
to the daemon.
I plan to record hash *and* filenames. Which should be enough for forensics analysis.
Storing whole data payload is not possible (read it as "we have no money for that"), because we plan to build and sign
(docker) images as well.
often overrated. I suggest to consider an alternative approach where
private keys are split using some N out of M scheme among multiple parties
with sufficient diversity to reduce the risk of N+ parties being
compromised simultaneously.
No money for that.
--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security
