On Aug 17, 2010, at 4:20 AM, Peter Gutmann wrote:
Your code-signing system should create a tamper-resistant audit
trail [0] of
every signature applied and what it's applied to.
Peter.
[0] By this I don't mean the usual cryptographic Rube-Goldbergery,
just log
the details to a separate server with a two-phase commit protocol
to
minimise the chances of creation of phantom non-logged signatures.
...thus once again demonstrating how much of good cryptographic
practice is just good engineering/release management practice.
A number of years ago, in addition to being in charge of much of the
software development, I had the system management organization of the
small software maker I worked at reporting to me. I formalized a
process that the (already well run) organization already had in
place. Any time *any* build of the software "left the building", even
if just for a demo, we marked that build as "locked". We would never
delete a "locked" build without a careful determination that it was,
in fact, "dead": No longer in use at any customer. We also,
within 24 hours, did a special backup of the build onto a tape that
went into permanent off-site storage.
The one time I know of that we didn't follow these procedures (before
they were officially put into place), a very large customer, at their
insistence and after the sales guy who dealt with them swore they
agreed to delete the copy we gave them, got a snapshot of a build from
a developer's workstation "just to see how the new version would
look". Without telling us, the customer proceeded to roll this out at
hundreds of sites, resulting in years of support grief, since it was
impossible for us to determine exactly what went into the code they
were running.
We were later acquired by a much larger company that claimed they
would "teach us how to do big-league software engineering". Hah.
That company was shipping software built on developer workstations as
a day-to-day practice - they were just beginning to develop mechanisms
to ensure that the stuff they shipped came through traceable,
reproducible builds. Oh ... but their stuff was in Java, so was
signed The signing was tightly controlled at a central location. Cue
classic joke about using an armored car to deliver an envelope to
someone living in a cardboard box.
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
