[llvm-dev] RFC: Automated signing of release files

Tue Jan 12 23:00:21 PST 2021

Not sure exactly what automatically signing means. Here is my recent 
upload command.

scp -i ~/.ssh/id_rsa_llvm.pub 
clang+llvm-11.0.1-x86_64-linux-gnu-ubuntu-20.10.tar.xz 
testers at releases-origin.llvm.org:/home/testers

My public key on the LLVM side, id_rsa_llvm.pub, identifies the upload 
as coming from me. It may be better to change the name of that public 
key to something like

id_rsa_nnelson.pub

Or possibly some identifier instead of nnelson assigned by LLVM.

The public key on the scp command uniquely identifies the source of the 
upload. The public key was previously uploaded to LLVM. User 
authentication occurs when the user side uses the private key to set up 
the encryption channel for the file transfer, with the LLVM side using 
the public key for that user's private key.

The determination of user trustworthiness is tied to the user's public 
key and is by some method external to the use of the keys. I expect that 
would be determined by the quality of uploads in the past and perhaps to 
the degree that others at LLVM can vouch for that user. This has the 
feel of a MySQL database showing the user's name, public key name, 
upload activity and community evaluations toward some degree of 
trustworthiness. It may be that on the release page has user upvotes and 
downvotes for each release file could be applied to help in that rating.

At this point we need an SSH log on the LLVM side we can parse that will 
show what keys were used with what files uploaded. This parse would be 
done at some convenient frequency and may automatically update the MySQL 
DB and provide activity reporting. Moving of the uploaded files and 
updating the release page could possibly be done automatically. This 
last part depends on setting up the detail and format for that process.

Getting the SSH log working properly seems the stretch part at the 
moment but appears the obvious direction.

Neil Nelson

On 1/12/21 10:13 PM, Tom Stellard via llvm-dev wrote:
> Hi,
>
> I would like to automate the signing of some of the release files we 
> upload to the release page, starting with the source tarballs. My 
> initial goal is to have a CI job that automatically creates, signs, 
> and uploads the source tarballs, whenever a new release is tagged.  I 
> would also like the key used for signing to be a 'project' key and not 
> someone's personal key.
>
> Once this is done, I would like to implement something similar for the 
> release binaries, so that testers could upload the binaries and have 
> them automatically signed.  This will be more difficult than the 
> source tarballs, because the binaries are built by individual testers, 
> so we would need to prove that they come from a trust-worthy source.
>
> Implementing these changes, will help streamline the release process 
> and let release managers avoid doing a lot of manual mistake-prone tasks.
>
> The questions I have for the community are:
>
> Is this a good idea?
>
> How can I implement this securely?
>
> Thanks,
> Tom
>
> _______________________________________________
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20210113/18dc3661/attachment.html>