Topics

Code signing

Nathan Loofbourrow
 

I know it’s early days, especially for Windows and Mac, but will there be a plan for code signing the binaries produced by CI? This will be important for security and adoption.

Meadhbh Hamrick
 

I bet security requirements are going to be all over the map in this group.

I bet people who are trying to push out media to end user devices are
going to be VERY interested in signed code, but other people who are
running binaries they completely compiled from source files they just
downloaded from github are going to be more interested in verifying
the provenance of the tarballs they just downloaded than verifying
signatures on executables they just built.

I'm mostly in the latter camp, except for the tiny bits where i'm in
the former. I really want my developers that are building FLOSS
projects to be able to pick operational security procedures that make
sense for them (but yeah, at the same time I don't want to say
"SIGNING EXECUTABLES IS USELESS!" because I do bump up into that world
from time to time and know it's a requirement for some people.)

I guess what I'm saying is... I bet it's going to be a little more
complicated than people might originally think based on their own
experiences. But I also think we could do a small amount of work
up-front to define a handful of security models that will work for 80%
of people on the list and it'll give the other 20% something to point
at when they're trying to describe how it doesn't work.

Do you have specific requirements, Nathan? Like I said, I'm mostly a
backend server farm guy, but every now and again I bump into the
mobile / app store world where code signing makes a lot more sense.

-cheers
-m
--
meadhbh hamrick * it's pronounced "maeve"@OhMeadhbh* http://meadhbh.hamrick.rocks/ * OhMeadhbh@...
Sent from my TRS-80 Model 102

On Tue, Aug 21, 2018 at 3:29 PM, Nathan Loofbourrow <njloof@...> wrote:
I know it’s early days, especially for Windows and Mac, but will there be a
plan for code signing the binaries produced by CI? This will be important
for security and adoption.

Thanh Ha
 

Hi Everyone,

For those who don't know me I'm a Release Engineer at the Linux Foundation and am helping the ASWF project get setup. Feel free to direct any CI related questions to me.

I can confirm that signing is very important to many of our projects and we definitely sign both our artifacts (binaries) as well as git tags when we release software for many of our other projects at the Linux Foundation.

Today the signing is done manually via "git tag -s" as well as gpg sign of release artifacts when projects approve a staged release for public release.

We are working on providing some automation in our CI platform to allow projects to have their artifacts signed along with the staging jobs (these jobs prepare releases) but it's not ready just yet.

Cheers,
Thanh

On Tue, Aug 21, 2018 at 7:31 PM Meadhbh Hamrick <ohmeadhbh@...> wrote:
I bet security requirements are going to be all over the map in this group.

I bet people who are trying to push out media to end user devices are
going to be VERY interested in signed code, but other people who are
running binaries they completely compiled from source files they just
downloaded from github are going to be more interested in verifying
the provenance of the tarballs they just downloaded than verifying
signatures on executables they just built.

I'm mostly in the latter camp, except for the tiny bits where i'm in
the former. I really want my developers that are building FLOSS
projects to be able to pick operational security procedures that make
sense for them (but yeah, at the same time I don't want to say
"SIGNING EXECUTABLES IS USELESS!" because I do bump up into that world
from time to time and know it's a requirement for some people.)

I guess what I'm saying is... I bet it's going to be a little more
complicated than people might originally think based on their own
experiences. But I also think we could do a small amount of work
up-front to define a handful of security models that will work for 80%
of people on the list and it'll give the other 20% something to point
at when they're trying to describe how it doesn't work.

Do you have specific requirements, Nathan? Like I said, I'm mostly a
backend server farm guy, but every now and again I bump into the
mobile / app store world where code signing makes a lot more sense.

-cheers
-m
--
meadhbh hamrick * it's pronounced "maeve"
@OhMeadhbh * http://meadhbh.hamrick.rocks/ * OhMeadhbh@...
Sent from my TRS-80 Model 102


On Tue, Aug 21, 2018 at 3:29 PM, Nathan Loofbourrow <njloof@...> wrote:
> I know it’s early days, especially for Windows and Mac, but will there be a
> plan for code signing the binaries produced by CI? This will be important
> for security and adoption.

Nathan Loofbourrow
 

For both Windows and Max OSX, you will need a developer signing certificate which is used to ensure the origin of the compiled code. Similar to GPG, but verified by the OS rather than by a package manager.

Let me know if you need additional details.

n


On Tue, Aug 21, 2018 at 9:24 PM Thanh Ha <thanh.ha@...> wrote:
Hi Everyone,

For those who don't know me I'm a Release Engineer at the Linux Foundation and am helping the ASWF project get setup. Feel free to direct any CI related questions to me.

I can confirm that signing is very important to many of our projects and we definitely sign both our artifacts (binaries) as well as git tags when we release software for many of our other projects at the Linux Foundation.

Today the signing is done manually via "git tag -s" as well as gpg sign of release artifacts when projects approve a staged release for public release.

We are working on providing some automation in our CI platform to allow projects to have their artifacts signed along with the staging jobs (these jobs prepare releases) but it's not ready just yet.

Cheers,
Thanh

On Tue, Aug 21, 2018 at 7:31 PM Meadhbh Hamrick <ohmeadhbh@...> wrote:
I bet security requirements are going to be all over the map in this group.

I bet people who are trying to push out media to end user devices are
going to be VERY interested in signed code, but other people who are
running binaries they completely compiled from source files they just
downloaded from github are going to be more interested in verifying
the provenance of the tarballs they just downloaded than verifying
signatures on executables they just built.

I'm mostly in the latter camp, except for the tiny bits where i'm in
the former. I really want my developers that are building FLOSS
projects to be able to pick operational security procedures that make
sense for them (but yeah, at the same time I don't want to say
"SIGNING EXECUTABLES IS USELESS!" because I do bump up into that world
from time to time and know it's a requirement for some people.)

I guess what I'm saying is... I bet it's going to be a little more
complicated than people might originally think based on their own
experiences. But I also think we could do a small amount of work
up-front to define a handful of security models that will work for 80%
of people on the list and it'll give the other 20% something to point
at when they're trying to describe how it doesn't work.

Do you have specific requirements, Nathan? Like I said, I'm mostly a
backend server farm guy, but every now and again I bump into the
mobile / app store world where code signing makes a lot more sense.

-cheers
-m
--
meadhbh hamrick * it's pronounced "maeve"
@OhMeadhbh * http://meadhbh.hamrick.rocks/ * OhMeadhbh@...
Sent from my TRS-80 Model 102


On Tue, Aug 21, 2018 at 3:29 PM, Nathan Loofbourrow <njloof@...> wrote:
> I know it’s early days, especially for Windows and Mac, but will there be a
> plan for code signing the binaries produced by CI? This will be important
> for security and adoption.

Thanh Ha
 

Yep, we'll have to figure out Windows and Mac once we get the infra for those in place and working. I have some experience with signing OSX code from a past life which might be of use. Today our infra is mainly Linux based so our signing services are a lot more mature on the Linux platform, but as we get the non-linux builders up and running we will definitely be interested rolling out tooling to support those platforms as well.

Regards,
Thanh


On Mon, Aug 27, 2018 at 11:19 AM Nathan Loofbourrow <njloof@...> wrote:
For both Windows and Max OSX, you will need a developer signing certificate which is used to ensure the origin of the compiled code. Similar to GPG, but verified by the OS rather than by a package manager.

Let me know if you need additional details.

n


On Tue, Aug 21, 2018 at 9:24 PM Thanh Ha <thanh.ha@...> wrote:
Hi Everyone,

For those who don't know me I'm a Release Engineer at the Linux Foundation and am helping the ASWF project get setup. Feel free to direct any CI related questions to me.

I can confirm that signing is very important to many of our projects and we definitely sign both our artifacts (binaries) as well as git tags when we release software for many of our other projects at the Linux Foundation.

Today the signing is done manually via "git tag -s" as well as gpg sign of release artifacts when projects approve a staged release for public release.

We are working on providing some automation in our CI platform to allow projects to have their artifacts signed along with the staging jobs (these jobs prepare releases) but it's not ready just yet.

Cheers,
Thanh

On Tue, Aug 21, 2018 at 7:31 PM Meadhbh Hamrick <ohmeadhbh@...> wrote:
I bet security requirements are going to be all over the map in this group.

I bet people who are trying to push out media to end user devices are
going to be VERY interested in signed code, but other people who are
running binaries they completely compiled from source files they just
downloaded from github are going to be more interested in verifying
the provenance of the tarballs they just downloaded than verifying
signatures on executables they just built.

I'm mostly in the latter camp, except for the tiny bits where i'm in
the former. I really want my developers that are building FLOSS
projects to be able to pick operational security procedures that make
sense for them (but yeah, at the same time I don't want to say
"SIGNING EXECUTABLES IS USELESS!" because I do bump up into that world
from time to time and know it's a requirement for some people.)

I guess what I'm saying is... I bet it's going to be a little more
complicated than people might originally think based on their own
experiences. But I also think we could do a small amount of work
up-front to define a handful of security models that will work for 80%
of people on the list and it'll give the other 20% something to point
at when they're trying to describe how it doesn't work.

Do you have specific requirements, Nathan? Like I said, I'm mostly a
backend server farm guy, but every now and again I bump into the
mobile / app store world where code signing makes a lot more sense.

-cheers
-m
--
meadhbh hamrick * it's pronounced "maeve"
@OhMeadhbh * http://meadhbh.hamrick.rocks/ * OhMeadhbh@...
Sent from my TRS-80 Model 102


On Tue, Aug 21, 2018 at 3:29 PM, Nathan Loofbourrow <njloof@...> wrote:
> I know it’s early days, especially for Windows and Mac, but will there be a
> plan for code signing the binaries produced by CI? This will be important
> for security and adoption.