1. posterid:901038
  2. Messages

Re: Code signing

Thanh Ha
 

Hi Everyone,

For those who don't know me I'm a Release Engineer at the Linux Foundation and am helping the ASWF project get setup. Feel free to direct any CI related questions to me.

I can confirm that signing is very important to many of our projects and we definitely sign both our artifacts (binaries) as well as git tags when we release software for many of our other projects at the Linux Foundation.

Today the signing is done manually via "git tag -s" as well as gpg sign of release artifacts when projects approve a staged release for public release.

We are working on providing some automation in our CI platform to allow projects to have their artifacts signed along with the staging jobs (these jobs prepare releases) but it's not ready just yet.

Cheers,
Thanh

On Tue, Aug 21, 2018 at 7:31 PM Meadhbh Hamrick <ohmeadhbh@...> wrote:
I bet security requirements are going to be all over the map in this group.

I bet people who are trying to push out media to end user devices are
going to be VERY interested in signed code, but other people who are
running binaries they completely compiled from source files they just
downloaded from github are going to be more interested in verifying
the provenance of the tarballs they just downloaded than verifying
signatures on executables they just built.

I'm mostly in the latter camp, except for the tiny bits where i'm in
the former. I really want my developers that are building FLOSS
projects to be able to pick operational security procedures that make
sense for them (but yeah, at the same time I don't want to say
"SIGNING EXECUTABLES IS USELESS!" because I do bump up into that world
from time to time and know it's a requirement for some people.)

I guess what I'm saying is... I bet it's going to be a little more
complicated than people might originally think based on their own
experiences. But I also think we could do a small amount of work
up-front to define a handful of security models that will work for 80%
of people on the list and it'll give the other 20% something to point
at when they're trying to describe how it doesn't work.

Do you have specific requirements, Nathan? Like I said, I'm mostly a
backend server farm guy, but every now and again I bump into the
mobile / app store world where code signing makes a lot more sense.

-cheers
-m
--
meadhbh hamrick * it's pronounced "maeve"
@OhMeadhbh * http://meadhbh.hamrick.rocks/ * OhMeadhbh@...
Sent from my TRS-80 Model 102


On Tue, Aug 21, 2018 at 3:29 PM, Nathan Loofbourrow <njloof@...> wrote:
> I know it’s early days, especially for Windows and Mac, but will there be a
> plan for code signing the binaries produced by CI? This will be important
> for security and adoption.
Join main@lists.aswf.io to automatically receive all group messages.