On Aug 17, 2010, at 4:20 AM, Peter Gutmann wrote:
Your code-signing system should create a tamper-resistant audit trail [0] of
 every signature applied and what it's applied to.


[0] By this I don't mean the usual cryptographic Rube-Goldbergery, just log the details to a separate server with a two-phase commit protocol to
   minimise the chances of creation of phantom non-logged signatures.
...thus once again demonstrating how much of good cryptographic practice is just good engineering/release management practice.

A number of years ago, in addition to being in charge of much of the software development, I had the system management organization of the small software maker I worked at reporting to me. I formalized a process that the (already well run) organization already had in place. Any time *any* build of the software "left the building", even if just for a demo, we marked that build as "locked". We would never delete a "locked" build without a careful determination that it was, in fact, "dead": No longer in use at any customer. We also, within 24 hours, did a special backup of the build onto a tape that went into permanent off-site storage.

The one time I know of that we didn't follow these procedures (before they were officially put into place), a very large customer, at their insistence and after the sales guy who dealt with them swore they agreed to delete the copy we gave them, got a snapshot of a build from a developer's workstation "just to see how the new version would look". Without telling us, the customer proceeded to roll this out at hundreds of sites, resulting in years of support grief, since it was impossible for us to determine exactly what went into the code they were running.

We were later acquired by a much larger company that claimed they would "teach us how to do big-league software engineering". Hah. That company was shipping software built on developer workstations as a day-to-day practice - they were just beginning to develop mechanisms to ensure that the stuff they shipped came through traceable, reproducible builds. Oh ... but their stuff was in Java, so was signed The signing was tightly controlled at a central location. Cue classic joke about using an armored car to deliver an envelope to someone living in a cardboard box.
                                                        -- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to