Skip to content
Snippets Groups Projects
Select Git revision
  • feat/signstar-config
  • wiktor/add-ssh-to-srs
  • feat/signstar-configure
  • renovate/nethsm-sdk-rs-2.x
  • renovate/ureq-3.x
  • renovate/rand-0.x
  • main default protected
  • wiktor/signstar-sign
  • wiktor/migrate-to-rpgp
  • wiktor/arg
  • wiktor/update-nethsm
  • feat/openpgp-notation-completion
  • wiktor/use-typos
  • nethsm-cli/0.6.0 protected
  • nethsm/0.7.3 protected
  • signstar-request-signature/0.1.0 protected
  • signstar-configure-build/0.1.2 protected
  • nethsm-cli/0.5.0 protected
  • nethsm-config/0.2.2 protected
  • nethsm/0.7.2 protected
  • nethsm-backup/0.1.0 protected
  • nethsm-tests/0.1.2 protected
  • signstar-configure-build/0.1.1 protected
  • nethsm-cli/0.4.1 protected
  • nethsm-config/0.2.1 protected
  • nethsm/0.7.1 protected
  • nethsm-tests/0.1.1 protected
  • signstar-configure-build/0.1.0 protected
  • nethsm-cli/0.4.0 protected
  • nethsm-config/0.2.0 protected
  • nethsm/0.7.0 protected
  • nethsm-tests/0.1.0 protected
  • nethsm-cli/0.3.0 protected
33 results
Compare
Wiktor Kwapisiewicz's avatar
chore: Create an issue when a daily rebuild fails
Wiktor Kwapisiewicz authored 
This has been [suggested by @klausenbusk][0].

[0]: #20 (comment 201743)

Fixes: #20


Signed-off-by: default avatarWiktor Kwapisiewicz <wiktor@metacode.biz>
4e1cfa1e
History
Wiktor Kwapisiewicz's avatar 4e1cfa1e
History
Name Last commit Last update
.cargo
.gitlab
LICENSES
nethsm-cli
nethsm
.codespellrc
.env
.gitignore
.gitlab-ci.yml
.shellcheckrc
CONTRIBUTING.md
Cargo.lock
Cargo.toml
README.md
REUSE.toml
deny.toml
justfile
release-plz.toml
renovate.json
rustfmt.toml
README.md

Signstar

Provide a secure way to sign packages, arch iso's and pacman databases in an enclave.

Requirements

  • simple auditable and memory safe non-interpreted language aka rust
  • runs as login shell accepting stdin and outputting a signature to stdout
  • sandbox the whole process including seccomp filters
  • simple logging facility: user, hash of input, date
  • avoid any shellout and writing to harddisc if possible
  • must not be possible to do anything else than signing an artifact###

Threat model

Obtaining GPG key

  • Prevent extraction of the key by using a GPG smartcard or TPM.

Unauthorized signing

  • Restrict network access to a specific server to reduce exposure
  • Restrict ssh access to very specific keys
  • Restrict ssh key access to a dedicated user

Considerations

  • Think about ways to isolate inputs and not allow users/packagers to sign arbitrary date. However this will require sophisticated changes as repo database and package files can easily be changed before sending to the signing server. We would need to restrict it should tooling and workflow similar

Architecture

For signing a dedicated user is set up on a secure enclave which only allows ssh logins from a specific server. A dedicated user on the source server can ssh into the signing server and retrieve a signed artefact back.

ssh signer@signstar.archlinux.org < core.db.tar.xz > core.db.tar.xz.sig

The sshd_config is configured as:

Match user signer
    ForceCommand /usr/bin/signstar

CLI conveniences

justfile contains additional facilities for generating tools for packagers:

  • just generate shell_completions nethsm-cli will generate shell completions for nethsm-cli to $CARGO_TARGET_DIR/output/shell_completions/ (or to $PWD/output/shell_completions/ if $CARGO_TARGET_DIR is unset)
  • just generate manpages nethsm-cli will generate man pages for nethsm-cli to$CARGO_TARGET_DIR/output/manpages/ (or to $PWD/output/manpages/ if $CARGO_TARGET_DIR is unset)

The target directory will be automatically created.