Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stream and release metadata signing #213

Open
bgilbert opened this issue Jul 8, 2019 · 2 comments
Open

Stream and release metadata signing #213

bgilbert opened this issue Jul 8, 2019 · 2 comments
Labels
triaged

Comments

@bgilbert
Copy link
Contributor

bgilbert commented Jul 8, 2019

The stream and release metadata are meant for automatic/machine consumption, so we should sign them (and address key management).

For the moment, we are ensuring via TLS that those cannot be tampered on the wire.
Integrity of downloadable blobs (ostree commits, image artifacts) is guaranteed by direct signatures on such objects.
I think the only remaining case to cover is an overall infrastructure hijack, where somebody is able to reroute or manipulate our bucket and inject forged manifests that way. That would still not be a problem for installed machines, but may prevent new installations and auto-upgrades.

/cc @dustymabe

Originally posted by @lucab in #98 (comment)
@bgilbert bgilbert mentioned this issue Jul 8, 2019
Open
@jlebon
Copy link
Member

jlebon commented Jul 16, 2019

Related on the cosa side: coreos/coreos-assembler#268

@cgwalters
Copy link
Member

My opinion on this is TLS pinning.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cgwalters @bgilbert @jlebon @jbtrystram