[cfe-dev] RFC: Automated signing of release files

Demi M. Obenour via cfe-dev cfe-dev at lists.llvm.org
Wed Jan 13 09:22:04 PST 2021 

On 1/13/21 12:13 AM, Tom Stellard via cfe-dev wrote:
> Hi,
> 
> I would like to automate the signing of some of the release files we upload to the release page, starting with the source tarballs.  My initial goal is to have a CI job that automatically creates, signs, and uploads the source tarballs, whenever a new release is tagged.  I would also like the key used for signing to be a 'project' key and not someone's personal key.
> 
> Once this is done, I would like to implement something similar for the release binaries, so that testers could upload the binaries and have them automatically signed.  This will be more difficult than the source tarballs, because the binaries are built by individual testers, so we would need to prove that they come from a trust-worthy source.
> 
> Implementing these changes, will help streamline the release process and let release managers avoid doing a lot of manual mistake-prone tasks.
> 
> The questions I have for the community are:
> 
> Is this a good idea?

Absolutely, so long as it is done properly.

> How can I implement this securely?

I strongly recommend against using GitHub Actions for this.  There was
a nasty vulnerability not too long ago that (IIRC) could have led
to signing keys being exfiltrated.  Furthermore, I honestly do not
trust something like GitHub actions with something that sensitive.

A better approach would be to run a secure builder
on trusted hardware.  QubesOS’s Qubes Builder
(https://github.com/QubesOS/qubes-builder) and the corresponding
infrastructure (https://github.com/QubesOS/qubes-infrastructure) might
be a good source of inspiration here.  (Disclaimer: I work on QubesOS.)

QubesOS automatically performs a build whenever a properly formatted
signed tag is uploaded to GitHub.  The resulting artifacts are signed
and uploaded to testing repositories with no further intervention
required.  The build VM only has network access via Tor (except for
SSH), and the signing keys are on a different VM with no network
access at all.  This avoids having to trust GitHub’s access controls.

> Thanks,
> Tom

Sincerely,

Demi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20210113/e168b302/attachment.sig>

More information about the cfe-dev mailing list