Opened 6 years ago

Closed 4 years ago

Last modified 4 years ago

#11300 closed task (not a bug)

Find a secure signing machine for TBB signing

Reported by: mikeperry Owned by:
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Keywords:
Cc: erinn, gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We need a new machine (or we need to re-purpose an old one) for purposes of signing the individual bundle packages. We would like several builders to have access to this machine, so we can have a shared key on it used to sign the packages (to prevent timezone issues/downtime/vacation from blocking a release).

See the parent ticket for information about how we handle the shared key.

Child Tickets

Change History (17)

comment:1 Changed 6 years ago by phobos

Why is this assigned to me?

comment:2 Changed 6 years ago by mikeperry

phobos: We currently lack hardware for this purpose. Weasel suggested that you were the person to find a machine for us. He said it should probably live in the Tor office, for physical security.

We could instead have Erinn try to hunt down a machine via donations (which she has been having luck with), and have it mailed there, if that is OK. Should we try to go that route, or is there an existing machine we can use instead? The downsides being we're trusting some random to give us hardware that we need to ensure package integrity, though, so perhaps a new machine is best?

comment:3 Changed 6 years ago by mikeperry

Cc: weasel removed

weasel wants off this ticket. Hopefully its not too late to remove him. He does maintain that none of our existing machines are really suitable for this purpose, though.

comment:4 in reply to:  2 ; Changed 6 years ago by phobos

Replying to mikeperry:

phobos: We currently lack hardware for this purpose. Weasel suggested that you were the person to find a machine for us. He said it should probably live in the Tor office, for physical security.

The tor office is not the place to host machines, especially if you want physical security. Probably better off hosting an old laptop in someone's house than putting any "secure" machine in the office.

We could instead have Erinn try to hunt down a machine via donations (which she has been having luck with), and have it mailed there, if that is OK. Should we try to go that route, or is there an existing machine we can use instead? The downsides being we're trusting some random to give us hardware that we need to ensure package integrity, though, so perhaps a new machine is best?

And then we're trusting the NSA/shipper/creator to not modify it in transit? How far down this rathole do we go?

comment:5 in reply to:  4 Changed 6 years ago by gk

Replying to phobos:

Replying to mikeperry:

phobos: We currently lack hardware for this purpose. Weasel suggested that you were the person to find a machine for us. He said it should probably live in the Tor office, for physical security.

The tor office is not the place to host machines, especially if you want physical security. Probably better off hosting an old laptop in someone's house than putting any "secure" machine in the office.

I think not having the machine in the tor office is indeed a good idea. But still, we need a machine first before deciding where it should be...

comment:6 Changed 6 years ago by mo

If you want, we can put it into the Donaukurier datacenter (DE, Ingolstadt).

comment:7 Changed 6 years ago by mikeperry

For the record: I am 110% in favor of hosting the TBB signing server in the birthplace of the Bavarian Illuminati.

comment:8 Changed 6 years ago by phobos

We have retired laptops in the office. Or just use lemmonii for the signing.

comment:9 Changed 6 years ago by phobos

Owner: phobos deleted
Status: newassigned

re-assigning to no one. nothing I can do here.

comment:10 Changed 6 years ago by erinn

I'm also in favor of mo's plan. There was some discussion on IRC somewhere about possible hardware tools we could use -- could someone who was there post a summary of what was discussed? I recall mo saying that he is in Ingolstadt every two weeks and can be there within the hour if something goes wrong.

comment:11 Changed 5 years ago by mikeperry

It looks like we can in fact use a Linux machine to sign windows executables, via osslsigncode: http://sourceforge.net/projects/osslsigncode/

Still looking into MacOS.

comment:12 Changed 5 years ago by mikeperry

The situation on MacOS is looking pretty grim. There is an experimental security tool called ldid that a few people have forked:
http://iphonedevwiki.net/index.php/Ldid
https://github.com/rpetrich/ldid

However, that doesn't seem to work as an actual signing tool. In fact, when some guy tried to script signing of a Linux-created DMG over SSH, he ultimately gave up and went back to building DMGs on Mac:
http://www.elstensoftware.com/blog/2013/04/17/scripting-dmg-build-osx-linux/

Ugly.

comment:13 Changed 5 years ago by gk

Parent ID: #11299

comment:14 Changed 4 years ago by qbi

I'm just going through old Sysadmin tickets and I'm not sure if this ticket is still needed as the parent ticket was deleted/fixed. If it is open on purpose, what are some good steps for getting a machine and transferring it to mo?

comment:15 Changed 4 years ago by ln5

SUNET is happy to either host a signing machine using the DigiCert thingie for signing or, if possible, put keys into an existing HSM system.

For the first alternative, I need to go buy two RPI:s, pick a distribution and install it. I've secured physical hosting space in a place that I have access to and knowledge about who enters.

For the second alternative, someone needs to either make a new request for a signing key or find out a way of (wrapping and) exporting the key from the DigiCert token.

Let me know which one is preferred.

comment:17 in reply to:  15 Changed 4 years ago by gk

Resolution: not a bug
Status: assignedclosed

Replying to ln5:

SUNET is happy to either host a signing machine using the DigiCert thingie for signing or, if possible, put keys into an existing HSM system.

For the first alternative, I need to go buy two RPI:s, pick a distribution and install it. I've secured physical hosting space in a place that I have access to and knowledge about who enters.

For the second alternative, someone needs to either make a new request for a signing key or find out a way of (wrapping and) exporting the key from the DigiCert token.

Let me know which one is preferred.

Thanks for the offer. I think going with option 1 sounds good to me. I'll talk to you about the details once we are about to actually make real progress on the signing machine idea. We have to solve #15538 first one way or another. Anyway, the sysadmin team is not needed at the moment. Thus, closing for now.

Last edited 4 years ago by gk (previous) (diff)
Note: See TracTickets for help on using tickets.