On 13.05.2018 22:47, Christian Rebischke via arch-dev-public wrote:
> We could just generate an automated cloud image signing key (only for
> this purpose) of course and automatically sign the images with that key.
> Problem with this is: If our build server ever get pwned the person will
> have these keys for signing cloud images as well. Any opinion about
> this?

We had that discussion some years ago about signing our pacman
databases. I mostly remember that we didn't reach a consensus, but you
might want to search the archives for details. At some point there was a
proposal to have a dedicated signing host that is well protected and
receives files and then returns the signature. I'm not sure if that was
turned down or if there was simply nobody to work on this. Does anyone
remember that?

I think this would be a viable option for us. We could also implement
some form of rate limiting and sanity checks to ensure we only sign
things that we want to sign. For example, only one ISO can be signed per
month and the request must come from a specific IP. I probably won't do
any implementation, but I'd offer to provide feedback and design help if
someone wants to work on this. Assuming we first agree that we want to
do it this way.

Florian

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to