Replies: 5 comments
-
@akshay-saraswat from a user perspective, what is your opinion there? |
Beta Was this translation helpful? Give feedback.
-
Side note: Public keys in RPMS repositories are exposed inside. For example: https://evebox.org/files/rpm/development/RPM-GPG-KEY-evebox Sample CRL file from Google: https://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl |
Beta Was this translation helpful? Give feedback.
-
My opinion as an Elastic user advocate. Will we change the keys regularly? Where will the public and private keys reside and who will have access to them?
What if the keys used to sign packages have to be changed?
How will we communicate the key update?
|
Beta Was this translation helpful? Give feedback.
-
As signature will happens during build, it means that we must rebuild and push again all packages right? Should we immediately disabled all packages download or should we wait the end of the build pipeline? |
Beta Was this translation helpful? Give feedback.
-
It isn't so uncommon to happen. Check out the news: https://threatpost.com/d-link-accidentally-leaks-private-code-signing-keys/114727/
I will bring the quote from the link above:
If we decide to be in charge of managing the sub-keys for signing packages, we can prepare a procedure for revoking keys, rotating them, and resigning artifacts. If the responsibility stays on the Infra side, we need to coordinate the process with them or a security engineer. I also looked deeper and it seems that's mandatory to resign all artifacts just for safety purposes. It's our responsibility to be able to do this in a reasonable time. I suppose it's a matter of preparing procedures.
It isn't a good practice to rotate the signing keys. For example, Google Play suggests setting the expiry period to at least 25 years.
Closer to the machine access only, the better.
@jsoriano mentioned investigating an option of running a Keyserver. See https://keyserver.ubuntu.com . AFAIK we're using this one: https://pgp.mit.edu . That's a job for you, @akshay-saraswat , to find the owner of this process :) Should we also keep and expose it in the Package Storage?
So far we assumed that the Package Registry is dumb and can't validate any signatures. Kibana would be the ultimate source of trust. It will decide to reject of accepting the signature.
Agree, technically we must be able to perform this.
Again, please try to pair with somebody responsible for this process in Elastic, and ask about the option of launching own keyserver. |
Beta Was this translation helpful? Give feedback.
-
We have the idea of signing packages in order to have a proof that a package is truly coming from Elastic developers.
The question here is - What if the keys used to sign packages have to be changed? (Updating for security purpose for example)
How should we communicate this change and how to handle package that we signed with the old keys?
Beta Was this translation helpful? Give feedback.
All reactions