<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font size="-1">Not sure exactly what automatically signing
means. Here is my recent upload command.</font></p>
<p><font size="-1">scp -i ~/.ssh/id_rsa_llvm.pub
clang+llvm-11.0.1-x86_64-linux-gnu-ubuntu-20.10.tar.xz
<a class="moz-txt-link-abbreviated" href="mailto:testers@releases-origin.llvm.org:/home/testers">testers@releases-origin.llvm.org:/home/testers</a></font></p>
<p><font size="-1">My public key on the LLVM side, id_rsa_llvm.pub,
identifies the upload as coming from me. It may be better to
change the name of that public key to something like</font></p>
<p><font size="-1">id_rsa_nnelson.pub</font></p>
<p><font size="-1">Or possibly some identifier instead of nnelson
assigned by LLVM.</font></p>
<p><font size="-1">The public key on the scp command uniquely
identifies the source of the upload. The public key was
previously uploaded to LLVM. User authentication occurs when the
user side uses the private key to set up the encryption channel
for the file transfer, with the LLVM side using the public key
for that user's private key.</font></p>
<p><font size="-1">The determination of user trustworthiness is tied
to the user's public key and is by some method external to the
use of the keys. I expect that would be determined by the
quality of uploads in the past and perhaps to the degree that
others at LLVM can vouch for that user. This has the feel of a
MySQL database showing the user's name, public key name, upload
activity and community evaluations toward some degree of
trustworthiness. It may be that on the release page has user
upvotes and downvotes for each release file could be applied to
help in that rating.<br>
</font></p>
<p><font size="-1">At this point we need an SSH log on the LLVM side
we can parse that will show what keys were used with what files
uploaded. This parse would be done at some convenient frequency
and may automatically update the MySQL DB and provide activity
reporting. Moving of the uploaded files and updating the release
page could possibly be done automatically. This last part
depends on setting up the detail and format for that process.</font></p>
<p><font size="-1">Getting the SSH log working properly seems the
stretch part at the moment but appears the obvious direction.</font></p>
<p><font size="-1">Neil Nelson</font></p>
<div class="moz-cite-prefix"><font size="-1">On 1/12/21 10:13 PM,
Tom Stellard via llvm-dev wrote:</font><br>
</div>
<blockquote type="cite"
cite="mid:bfcd0cae-3b38-3a91-0f8f-f0ead5fe05b1@redhat.com">Hi,
<br>
<br>
I would like to automate the signing of some of the release files
we upload to the release page, starting with the source tarballs.
My initial goal is to have a CI job that automatically creates,
signs, and uploads the source tarballs, whenever a new release is
tagged. I would also like the key used for signing to be a
'project' key and not someone's personal key.
<br>
<br>
Once this is done, I would like to implement something similar for
the release binaries, so that testers could upload the binaries
and have them automatically signed. This will be more difficult
than the source tarballs, because the binaries are built by
individual testers, so we would need to prove that they come from
a trust-worthy source.
<br>
<br>
Implementing these changes, will help streamline the release
process and let release managers avoid doing a lot of manual
mistake-prone tasks.
<br>
<br>
The questions I have for the community are:
<br>
<br>
Is this a good idea?
<br>
<br>
How can I implement this securely?
<br>
<br>
Thanks,
<br>
Tom
<br>
<br>
_______________________________________________
<br>
LLVM Developers mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:llvm-dev@lists.llvm.org">llvm-dev@lists.llvm.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev">https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev</a>
<br>
</blockquote>
</body>
</html>