conference logo

Playlist "All Systems Go! 2024"

Boring infrastructure: Building a secure signing environment

David Runge

Many Linux distributions rely on cryptographic signatures for their packages and release artifacts. However, most of the used signing solutions either do not rely on hardware backed private key material or are run in untrusted environments.

This presentation will provide a general overview of the [Signstar](https://gitlab.archlinux.org/archlinux/signstar/) project, which is currently under development by Arch Linux to provide a generic signing solution based on a Hardware Security Module (HSM).

To improve build automation and general supply chain security for Arch Linux, some of its developers have started to conceptualize and work on a generic, central signing solution: [Signstar](https://gitlab.archlinux.org/archlinux/signstar/).
In this context, related work has been evaluated for adoption, but it soon became clear, that to meet the distribution's requirements a custom solution would be implemented.

For transparency and auditability reasons Nitrokey's NetHSM has been chosen as Hardware Security Module (HSM).
Developers are actively working on a high-level Rust library and CLI to interface with the device over network.

In this presentation I will introduce the viewer to some of Arch Linux's relevant history and requirements, the evaluated architecture and setup.
Together we will have a look at Signstar's threat model, its design for minimizing credentials exposure of the HSM, as well as its integration with the OpenPGP ecosystem.
Additionally, we will explore avenues for future work on other generic cryptographic operations in the context of X.509, SSH and Secure Boot.

Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/